diff --git a/.github/scripts/windows/test_task.bat b/.github/scripts/windows/test_task.bat index 124b9b019ca4b..223d654300357 100644 --- a/.github/scripts/windows/test_task.bat +++ b/.github/scripts/windows/test_task.bat @@ -58,12 +58,15 @@ if "%PLATFORM%" == "x64" ( curl -sLo Firebird.zip %PHP_FIREBIRD_DOWNLOAD_URL% 7z x -oC:\Firebird Firebird.zip set PDO_FIREBIRD_TEST_DATABASE=C:\test.fdb -set PDO_FIREBIRD_TEST_DSN=firebird:dbname=%PDO_FIREBIRD_TEST_DATABASE% +set PDO_FIREBIRD_TEST_DSN=firebird:dbname=127.0.0.1:%PDO_FIREBIRD_TEST_DATABASE% set PDO_FIREBIRD_TEST_USER=SYSDBA set PDO_FIREBIRD_TEST_PASS=phpfi +echo create user %PDO_FIREBIRD_TEST_USER% password '%PDO_FIREBIRD_TEST_PASS%';> C:\Firebird\create_user.sql +echo commit;>> C:\Firebird\create_user.sql echo create database '%PDO_FIREBIRD_TEST_DATABASE%' user '%PDO_FIREBIRD_TEST_USER%' password '%PDO_FIREBIRD_TEST_PASS%';> C:\Firebird\setup.sql C:\Firebird\instsvc.exe install -n TestInstance C:\Firebird\isql -q -i C:\Firebird\setup.sql +C:\Firebird\isql -q -i C:\Firebird\create_user.sql -user sysdba %PDO_FIREBIRD_TEST_DATABASE% C:\Firebird\instsvc.exe start -n TestInstance if %errorlevel% neq 0 exit /b 3 path C:\Firebird;%PATH% diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 7198ec22d67e2..b4805d9031d45 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -355,6 +355,7 @@ jobs: path: ${{ github.workspace }}/benchmark/profiles retention-days: 30 FREEBSD: + if: github.repository == 'php/php-src' || github.event_name == 'pull_request' name: FREEBSD runs-on: ubuntu-latest steps: diff --git a/NEWS b/NEWS index 0f8bd8f3d656a..104a053697439 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,81 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? ????, PHP 8.4.6 +?? ??? ????, PHP 8.4.7 + +- Core: + . Fixed bug GH-18038 (Lazy proxy calls magic methods twice). (Arnaud) + . Fixed bug GH-18209 (Use-after-free in extract() with EXTR_REFS). (ilutov) + . Fixed bug GH-18268 (Segfault in array_walk() on object with added property + hooks). (ilutov) + . Fixed bug GH-18304 (Changing the properties of a DateInterval through + dynamic properties triggers a SegFault). (nielsdos) + . Fix some leaks in php_scandir. (nielsdos) + +- DBA: + . FIxed bug GH-18247 dba_popen() memory leak on invalid path. (David Carlier) + +- Filter: + . Fixed bug GH-18309 (ipv6 filter integer overflow). (nielsdos) + +- GD: + . Fixed imagecrop() overflow with rect argument with x/width y/heigh usage + in gdImageCrop(). (David Carlier) + . Fixed GH-18243 imagettftext() overflow/underflow on font size value. + (David Carlier) + +- Intl: + . Fix reference support for intltz_get_offset(). (nielsdos) + +- LDAP: + . Fixed bug GH-17776 (LDAP_OPT_X_TLS_* options can't be overridden). (Remi) + . Fix NULL deref on high modification key. (nielsdos) + +- libxml: + . Fixed custom external entity loader returning an invalid resource leading + to a confusing TypeError message. (Girgias) + +- Opcache: + . Fixed bug GH-18294 (assertion failure zend_jit_ir.c). (nielsdos) + . Fixed bug GH-18289 (Fix segfault in JIT). (Florian Engelhardt) + . Fixed bug GH-18136 (tracing JIT floating point register clobbering on + Windows and ARM64). (nielsdos) + +- OpenSSL: + . Fix memory leak in openssl_sign() when passing invalid algorithm. + (nielsdos) + . Fix potential leaks when writing to BIO fails. (nielsdos) + +- PDO Firebird: + . Fixed bug GH-18276 (persistent connection - "zend_mm_heap corrupted" + with setAttribute()) (SakiTakamachi). + . Fixed bug GH-17383 (PDOException has wrong code and message since PHP 8.4) + (SakiTakamachi). + +- PDO Sqlite: + . Fix memory leak on error return of collation callback. (nielsdos) + +- PgSql: + . Fix uouv in pg_put_copy_end(). (nielsdos) + +- SPL: + . Fixed bug GH-18322 (SplObjectStorage debug handler mismanages memory). + (nielsdos) + +- Standard: + . Fixed bug GH-18145 (php8ts crashes in php_clear_stat_cache()). + (Jakub Zelenka) + . Fix resource leak in iptcembed() on error. (nielsdos) + +- Tests: + . Address deprecated PHP 8.4 session options to prevent test failures. + (willvar) + +- Zip: + . Fix uouv when handling empty options in ZipArchive::addGlob(). (nielsdos) + . Fix memory leak when handling a too long path in ZipArchive::addGlob(). + (nielsdos) + +10 Apr 2025, PHP 8.4.6 - BCMath: . Fixed pointer subtraction for scale. (SakiTakamachi) @@ -72,6 +147,10 @@ PHP NEWS - PDO: . Fix memory leak when destroying PDORow. (nielsdos) +- PGSQL: + . Fixed bug GH-18148 (pg_copy_from() regression with explicit \n terminator + due to wrong offset check). (David Carlier) + - Standard: . Fix memory leaks in array_any() / array_all(). (nielsdos) diff --git a/Zend/asm/save_xmm_x86_64_ms_masm.asm b/Zend/asm/save_xmm_x86_64_ms_masm.asm new file mode 100644 index 0000000000000..1569d6bdb0e86 --- /dev/null +++ b/Zend/asm/save_xmm_x86_64_ms_masm.asm @@ -0,0 +1,43 @@ +.code + +; ZEND_API void execute_ex(zend_execute_data *ex) +PUBLIC execute_ex + +EXTERN execute_ex_real:PROC + +; Assembly wrapper around the real execute_ex function, so that we can +; save the preserved registers when re-entering the VM from JIT code. +; See GH-18136. +execute_ex PROC EXPORT FRAME + ; 10 floating points numbers + ; 32 bytes shadow space + ; 8 bytes to align after the return address + sub rsp, 8*10 + 32 + 8 + .allocstack 8*10 + 32 + 8 + .endprolog + movsd qword ptr [rsp + 32 + 8*0], xmm6 + movsd qword ptr [rsp + 32 + 8*1], xmm7 + movsd qword ptr [rsp + 32 + 8*2], xmm8 + movsd qword ptr [rsp + 32 + 8*3], xmm9 + movsd qword ptr [rsp + 32 + 8*4], xmm10 + movsd qword ptr [rsp + 32 + 8*5], xmm11 + movsd qword ptr [rsp + 32 + 8*6], xmm12 + movsd qword ptr [rsp + 32 + 8*7], xmm13 + movsd qword ptr [rsp + 32 + 8*8], xmm14 + movsd qword ptr [rsp + 32 + 8*9], xmm15 + call execute_ex_real + movsd xmm6, qword ptr [rsp + 32 + 8*0] + movsd xmm7, qword ptr [rsp + 32 + 8*1] + movsd xmm8, qword ptr [rsp + 32 + 8*2] + movsd xmm9, qword ptr [rsp + 32 + 8*3] + movsd xmm10, qword ptr [rsp + 32 + 8*4] + movsd xmm11, qword ptr [rsp + 32 + 8*5] + movsd xmm12, qword ptr [rsp + 32 + 8*6] + movsd xmm13, qword ptr [rsp + 32 + 8*7] + movsd xmm14, qword ptr [rsp + 32 + 8*8] + movsd xmm15, qword ptr [rsp + 32 + 8*9] + add rsp, 8*10 + 32 + 8 + ret +execute_ex ENDP + +END diff --git a/Zend/tests/lazy_objects/gh18038-001.phpt b/Zend/tests/lazy_objects/gh18038-001.phpt new file mode 100644 index 0000000000000..88e453c4a251f --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-001.phpt @@ -0,0 +1,29 @@ +--TEST-- +GH-18038 001: Lazy proxy calls magic methods twice +--FILE-- +$name = $value * 2; + } +} + +$rc = new ReflectionClass(C::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new C; +}); + +$obj->prop = 1; +var_dump($obj->prop); + +?> +--EXPECT-- +string(8) "C::__set" +init +int(2) diff --git a/Zend/tests/lazy_objects/gh18038-002.phpt b/Zend/tests/lazy_objects/gh18038-002.phpt new file mode 100644 index 0000000000000..4c12f21de8115 --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-002.phpt @@ -0,0 +1,38 @@ +--TEST-- +GH-18038 002: Lazy proxy calls magic methods twice +--FILE-- +$name = $value * 2; + unset($this->$name); + $this->$name = $value * 2; + } +} + +#[AllowDynamicProperties] +class Proxy extends RealInstance { +} + +$rc = new ReflectionClass(Proxy::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new RealInstance; +}); + +$real = $rc->initializeLazyObject($obj); +$real->prop = 1; +var_dump($obj->prop); + +?> +--EXPECT-- +init +string(19) "RealInstance::__set" +string(12) "Proxy::__set" +int(2) diff --git a/Zend/tests/lazy_objects/gh18038-003.phpt b/Zend/tests/lazy_objects/gh18038-003.phpt new file mode 100644 index 0000000000000..1db0588a70cfa --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-003.phpt @@ -0,0 +1,30 @@ +--TEST-- +GH-18038 003: Lazy proxy calls magic methods twice +--FILE-- +$name; + } +} + +$rc = new ReflectionClass(C::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new C; +}); + +var_dump($obj->prop); + +?> +--EXPECTF-- +string(8) "C::__get" +init + +Warning: Undefined property: C::$prop in %s on line %d +NULL diff --git a/Zend/tests/lazy_objects/gh18038-004.phpt b/Zend/tests/lazy_objects/gh18038-004.phpt new file mode 100644 index 0000000000000..8810efb6bec2e --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-004.phpt @@ -0,0 +1,45 @@ +--TEST-- +GH-18038 004: Lazy proxy calls magic methods twice +--FILE-- +$name); + return $this->$name; + } +} + +#[AllowDynamicProperties] +class Proxy extends RealInstance { + public function __get($name) { + var_dump(get_class($this)."::".__FUNCTION__); + return $this->$name; + } +} + +$rc = new ReflectionClass(Proxy::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new RealInstance; +}); + +$real = $rc->initializeLazyObject($obj); +var_dump($real->prop); + +?> +--EXPECTF-- +init +string(19) "RealInstance::__get" +string(12) "Proxy::__get" + +Warning: Undefined property: RealInstance::$prop in %s on line %d +NULL + +Warning: Undefined property: RealInstance::$prop in %s on line %d +NULL diff --git a/Zend/tests/lazy_objects/gh18038-005.phpt b/Zend/tests/lazy_objects/gh18038-005.phpt new file mode 100644 index 0000000000000..b728d45253daf --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-005.phpt @@ -0,0 +1,28 @@ +--TEST-- +GH-18038 005: Lazy proxy calls magic methods twice +--FILE-- +$name['']); + } +} + +$rc = new ReflectionClass(C::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new C; +}); + +var_dump(isset($obj->prop[''])); + +?> +--EXPECT-- +string(10) "C::__isset" +init +bool(false) diff --git a/Zend/tests/lazy_objects/gh18038-006.phpt b/Zend/tests/lazy_objects/gh18038-006.phpt new file mode 100644 index 0000000000000..256f0be8e202b --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-006.phpt @@ -0,0 +1,37 @@ +--TEST-- +GH-18038 006: Lazy proxy calls magic methods twice +--FILE-- +$name['']); + } + public function __get($name) { + var_dump(__METHOD__); + return $this->$name['']; + } +} + +$rc = new ReflectionClass(C::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new C; +}); + +var_dump(isset($obj->prop[''])); + +?> +--EXPECTF-- +string(10) "C::__isset" +string(8) "C::__get" +init + +Warning: Undefined property: C::$prop in %s on line %d + +Warning: Trying to access array offset on null in %s on line %d +bool(false) diff --git a/Zend/tests/lazy_objects/gh18038-007.phpt b/Zend/tests/lazy_objects/gh18038-007.phpt new file mode 100644 index 0000000000000..9925190a19801 --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-007.phpt @@ -0,0 +1,41 @@ +--TEST-- +GH-18038 007: Lazy proxy calls magic methods twice +--FILE-- +$name[''])); + return isset($this->$name['']); + } +} + +#[AllowDynamicProperties] +class Proxy extends RealInstance { + public function __isset($name) { + var_dump(get_class($this)."::".__FUNCTION__); + return isset($this->$name['']); + } +} + +$rc = new ReflectionClass(Proxy::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new RealInstance; +}); + +$real = $rc->initializeLazyObject($obj); +var_dump(isset($real->prop[''])); + +?> +--EXPECT-- +init +string(21) "RealInstance::__isset" +string(14) "Proxy::__isset" +bool(false) +bool(false) diff --git a/Zend/tests/lazy_objects/gh18038-008.phpt b/Zend/tests/lazy_objects/gh18038-008.phpt new file mode 100644 index 0000000000000..34d6e766163de --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-008.phpt @@ -0,0 +1,28 @@ +--TEST-- +GH-18038 008: Lazy proxy calls magic methods twice +--FILE-- +$name); + } +} + +$rc = new ReflectionClass(C::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new C; +}); + +var_dump(isset($obj->prop)); + +?> +--EXPECT-- +string(10) "C::__isset" +init +bool(false) diff --git a/Zend/tests/lazy_objects/gh18038-009.phpt b/Zend/tests/lazy_objects/gh18038-009.phpt new file mode 100644 index 0000000000000..3c165a71ccffe --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-009.phpt @@ -0,0 +1,41 @@ +--TEST-- +GH-18038 009: Lazy proxy calls magic methods twice +--FILE-- +$name)); + return isset($this->$name); + } +} + +#[AllowDynamicProperties] +class Proxy extends RealInstance { + public function __isset($name) { + var_dump(get_class($this)."::".__FUNCTION__); + return isset($this->$name); + } +} + +$rc = new ReflectionClass(Proxy::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new RealInstance; +}); + +$real = $rc->initializeLazyObject($obj); +var_dump(isset($real->prop)); + +?> +--EXPECT-- +init +string(21) "RealInstance::__isset" +string(14) "Proxy::__isset" +bool(false) +bool(false) diff --git a/Zend/tests/lazy_objects/gh18038-010.phpt b/Zend/tests/lazy_objects/gh18038-010.phpt new file mode 100644 index 0000000000000..584c18580a210 --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-010.phpt @@ -0,0 +1,35 @@ +--TEST-- +GH-18038 010: Lazy proxy calls magic methods twice +--FILE-- +$name); + } +} + +$rc = new ReflectionClass(C::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new C; +}); + +unset($obj->prop); +var_dump($obj); + +?> +--EXPECTF-- +string(10) "C::__unset" +init +lazy proxy object(C)#%d (1) { + ["instance"]=> + object(C)#%d (1) { + ["_"]=> + NULL + } +} diff --git a/Zend/tests/lazy_objects/gh18038-011.phpt b/Zend/tests/lazy_objects/gh18038-011.phpt new file mode 100644 index 0000000000000..b356f9e4f384d --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-011.phpt @@ -0,0 +1,45 @@ +--TEST-- +GH-18038 011: Lazy proxy calls magic methods twice +--FILE-- +$name); + } +} + +#[AllowDynamicProperties] +class Proxy extends RealInstance { + public function __isset($name) { + var_dump(get_class($this)."::".__FUNCTION__); + unset($this->$name); + } +} + +$rc = new ReflectionClass(Proxy::class); + +$obj = $rc->newLazyProxy(function () { + echo "init\n"; + return new RealInstance; +}); + +$real = $rc->initializeLazyObject($obj); +unset($real->prop); +var_dump($obj); + +?> +--EXPECTF-- +init +string(21) "RealInstance::__unset" +lazy proxy object(Proxy)#%d (1) { + ["instance"]=> + object(RealInstance)#%d (1) { + ["_"]=> + NULL + } +} diff --git a/Zend/tests/lazy_objects/gh18038-012.phpt b/Zend/tests/lazy_objects/gh18038-012.phpt new file mode 100644 index 0000000000000..5bc83333d81c7 --- /dev/null +++ b/Zend/tests/lazy_objects/gh18038-012.phpt @@ -0,0 +1,28 @@ +--TEST-- +GH-18038 012: Lazy proxy calls magic methods twice +--FILE-- +$name = $value * 2; + } +} + +$rc = new ReflectionClass(C::class); + +$obj = $rc->newLazyGhost(function () { + echo "init\n"; +}); + +$obj->prop = 1; +var_dump($obj->prop); + +?> +--EXPECT-- +string(8) "C::__set" +init +int(2) diff --git a/Zend/tests/property_hooks/gh18268.phpt b/Zend/tests/property_hooks/gh18268.phpt new file mode 100644 index 0000000000000..9836bb6d96270 --- /dev/null +++ b/Zend/tests/property_hooks/gh18268.phpt @@ -0,0 +1,23 @@ +--TEST-- +GH-18268: array_walk() on object with added property hooks +--FILE-- + +--EXPECT-- +int(42) diff --git a/Zend/zend.h b/Zend/zend.h index c787b54940d92..fb09c6bdf50e5 100644 --- a/Zend/zend.h +++ b/Zend/zend.h @@ -20,7 +20,7 @@ #ifndef ZEND_H #define ZEND_H -#define ZEND_VERSION "4.4.6-dev" +#define ZEND_VERSION "4.4.7" #define ZEND_ENGINE_3 diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h index 7f425852d01b4..b2e7de4c343ae 100644 --- a/Zend/zend_compile.h +++ b/Zend/zend_compile.h @@ -464,6 +464,8 @@ typedef struct _zend_property_info { ((uint32_t)(XtOffsetOf(zend_object, properties_table) + sizeof(zval) * (num))) #define OBJ_PROP_TO_NUM(offset) \ (((offset) - OBJ_PROP_TO_OFFSET(0)) / sizeof(zval)) +#define OBJ_PROP_SLOT_TO_OFFSET(obj, slot) \ + ((uintptr_t)(slot) - (uintptr_t)(obj)) typedef struct _zend_class_constant { zval value; /* flags are stored in u2 */ diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index a4dba771e3ef5..4aea3501cf269 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -946,6 +946,18 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int goto exit; } + if (UNEXPECTED(guard)) { + uint32_t guard_type = (type == BP_VAR_IS) && zobj->ce->__isset + ? IN_ISSET : IN_GET; + guard = zend_get_property_guard(zobj, name); + if (!((*guard) & guard_type)) { + (*guard) |= guard_type; + retval = zend_std_read_property(zobj, name, type, cache_slot, rv); + (*guard) &= ~guard_type; + return retval; + } + } + return zend_std_read_property(zobj, name, type, cache_slot, rv); } } @@ -970,6 +982,43 @@ static zend_always_inline bool property_uses_strict_types(void) { && ZEND_CALL_USES_STRICT_TYPES(EG(current_execute_data)); } +static zval *forward_write_to_lazy_object(zend_object *zobj, + zend_string *name, zval *value, void **cache_slot, bool guarded) +{ + zval *variable_ptr; + + /* backup value as it may change during initialization */ + zval backup; + ZVAL_COPY(&backup, value); + + zend_object *instance = zend_lazy_object_init(zobj); + if (UNEXPECTED(!instance)) { + zval_ptr_dtor(&backup); + return &EG(error_zval); + } + + if (UNEXPECTED(guarded)) { + uint32_t *guard = zend_get_property_guard(instance, name); + if (!((*guard) & IN_SET)) { + (*guard) |= IN_SET; + variable_ptr = zend_std_write_property(instance, name, &backup, cache_slot); + (*guard) &= ~IN_SET; + goto exit; + } + } + + variable_ptr = zend_std_write_property(instance, name, &backup, cache_slot); + +exit: + zval_ptr_dtor(&backup); + + if (variable_ptr == &backup) { + variable_ptr = value; + } + + return variable_ptr; +} + ZEND_API zval *zend_std_write_property(zend_object *zobj, zend_string *name, zval *value, void **cache_slot) /* {{{ */ { zval *variable_ptr, tmp; @@ -1151,7 +1200,8 @@ found:; variable_ptr = value; } else if (EXPECTED(!IS_WRONG_PROPERTY_OFFSET(property_offset))) { if (UNEXPECTED(zend_lazy_object_must_init(zobj))) { - goto lazy_init; + return forward_write_to_lazy_object(zobj, name, value, + cache_slot, /* guarded */ true); } goto write_std_property; @@ -1198,26 +1248,9 @@ found:; exit: return variable_ptr; -lazy_init:; - /* backup value as it may change during initialization */ - zval backup; - ZVAL_COPY(&backup, value); - - zobj = zend_lazy_object_init(zobj); - if (UNEXPECTED(!zobj)) { - variable_ptr = &EG(error_zval); - zval_ptr_dtor(&backup); - goto exit; - } - - variable_ptr = zend_std_write_property(zobj, name, &backup, cache_slot); - zval_ptr_dtor(&backup); - - if (variable_ptr == &backup) { - variable_ptr = value; - } - - return variable_ptr; +lazy_init: + return forward_write_to_lazy_object(zobj, name, value, cache_slot, + /* guarded */ false); } /* }}} */ @@ -1538,6 +1571,17 @@ ZEND_API void zend_std_unset_property(zend_object *zobj, zend_string *name, void if (!zobj) { return; } + + if (UNEXPECTED(guard)) { + guard = zend_get_property_guard(zobj, name); + if (!((*guard) & IN_UNSET)) { + (*guard) |= IN_UNSET; + zend_std_unset_property(zobj, name, cache_slot); + (*guard) &= ~IN_UNSET; + return; + } + } + zend_std_unset_property(zobj, name, cache_slot); return; } @@ -2323,6 +2367,8 @@ ZEND_API int zend_std_has_property(zend_object *zobj, zend_string *name, int has } (*guard) &= ~IN_ISSET; OBJ_RELEASE(zobj); + } else { + goto lazy_init; } } @@ -2338,6 +2384,16 @@ ZEND_API int zend_std_has_property(zend_object *zobj, zend_string *name, int has goto exit; } + if (UNEXPECTED(zobj->ce->__isset)) { + uint32_t *guard = zend_get_property_guard(zobj, name); + if (!((*guard) & IN_ISSET)) { + (*guard) |= IN_ISSET; + result = zend_std_has_property(zobj, name, has_set_exists, cache_slot); + (*guard) &= ~IN_ISSET; + return result; + } + } + return zend_std_has_property(zobj, name, has_set_exists, cache_slot); } } diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 1ba250bec6439..9b1b6dd4fcbb4 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -203,7 +203,7 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_del(zend_object *object) /* {{{ * ZEND_API ZEND_COLD zend_property_info *zend_get_property_info_for_slot_slow(zend_object *obj, zval *slot) { - uintptr_t offset = (uintptr_t)slot - (uintptr_t)obj->properties_table; + uintptr_t offset = OBJ_PROP_SLOT_TO_OFFSET(obj, slot); zend_property_info *prop_info; ZEND_HASH_MAP_FOREACH_PTR(&obj->ce->properties_info, prop_info) { if (prop_info->offset == offset) { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 2f6f0af2d872c..a8bf9da828593 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -55025,10 +55025,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_NULL_HANDLER(ZEND_OPCODE_HANDL # pragma GCC optimize("no-gcse") # pragma GCC optimize("no-ivopts") #endif +#ifdef _WIN64 +/* See save_xmm_x86_64_ms_masm.asm */ +void execute_ex_real(zend_execute_data *ex) +#else ZEND_API void execute_ex(zend_execute_data *ex) +#endif { DCL_OPLINE +#if defined(__GNUC__) && defined(__aarch64__) + __asm__ __volatile__ (""::: "v8","v9","v10","v11","v12","v13","v14","v15"); +#endif + #if defined(ZEND_VM_IP_GLOBAL_REG) || defined(ZEND_VM_FP_GLOBAL_REG) struct { #ifdef ZEND_VM_HYBRID_JIT_RED_ZONE_SIZE diff --git a/Zend/zend_vm_execute.skl b/Zend/zend_vm_execute.skl index 717d4ffd3e8af..5b4799cd67c2a 100644 --- a/Zend/zend_vm_execute.skl +++ b/Zend/zend_vm_execute.skl @@ -5,10 +5,19 @@ # pragma GCC optimize("no-gcse") # pragma GCC optimize("no-ivopts") #endif +#ifdef _WIN64 +/* See save_xmm_x86_64_ms_masm.asm */ +void {%EXECUTOR_NAME%}_ex_real(zend_execute_data *ex) +#else ZEND_API void {%EXECUTOR_NAME%}_ex(zend_execute_data *ex) +#endif { DCL_OPLINE +#if defined(__GNUC__) && defined(__aarch64__) + __asm__ __volatile__ (""::: "v8","v9","v10","v11","v12","v13","v14","v15"); +#endif + {%HELPER_VARS%} {%INTERNAL_LABELS%} diff --git a/benchmark/generate_diff.php b/benchmark/generate_diff.php index b62f55c06d9e4..94c020df4b998 100644 --- a/benchmark/generate_diff.php +++ b/benchmark/generate_diff.php @@ -10,6 +10,7 @@ function main(?string $headCommitHash, ?string $baseCommitHash) { $repo = __DIR__ . '/repos/data'; cloneRepo($repo, 'git@github.com:php/benchmarking-data.git'); + $baseCommitHash = find_benchmarked_commit_hash($repo, $baseCommitHash); $headSummaryFile = $repo . '/' . substr($headCommitHash, 0, 2) . '/' . $headCommitHash . '/summary.json'; $baseSummaryFile = $repo . '/' . substr($baseCommitHash, 0, 2) . '/' . $baseCommitHash . '/summary.json'; if (!file_exists($headSummaryFile)) { @@ -60,6 +61,28 @@ function formatDiff(?int $baseInstructions, int $headInstructions): string { return sprintf('%.2f%%', $instructionDiff / $baseInstructions * 100); } +function find_benchmarked_commit_hash(string $repo, string $commitHash): ?string { + $repeat = 10; + + while (true) { + if ($repeat-- <= 0) { + fwrite(STDERR, "Count not find benchmarked commit hash\n"); + exit(1); + } + $summaryFile = $repo . '/' . substr($commitHash, 0, 2) . '/' . $commitHash . '/summary.json'; + if (file_exists($summaryFile)) { + break; + } + $commitHash = trim(runCommand( + ['git', 'rev-parse', $commitHash . '^'], + dirname(__DIR__), + printCommand: false, + )->stdout); + } + + return $commitHash; +} + $headCommitHash = $argv[1] ?? null; $baseCommitHash = $argv[2] ?? null; $output = main($headCommitHash, $baseCommitHash); diff --git a/benchmark/shared.php b/benchmark/shared.php index 450101770b28b..0f58a2a1bf870 100644 --- a/benchmark/shared.php +++ b/benchmark/shared.php @@ -5,12 +5,14 @@ class ProcessResult { public $stderr; } -function runCommand(array $args, ?string $cwd = null): ProcessResult { +function runCommand(array $args, ?string $cwd = null, bool $printCommand = true): ProcessResult { $cmd = implode(' ', array_map('escapeshellarg', $args)); $pipes = null; $result = new ProcessResult(); $descriptorSpec = [0 => ['pipe', 'r'], 1 => ['pipe', 'w'], 2 => ['pipe', 'w']]; - fwrite(STDOUT, "> $cmd\n"); + if ($printCommand) { + fwrite(STDOUT, "> $cmd\n"); + } $processHandle = proc_open($cmd, $descriptorSpec, $pipes, $cwd ?? getcwd(), null); $stdin = $pipes[0]; diff --git a/build/Makefile.global b/build/Makefile.global index d5170ebcae4ac..52a629c048a22 100644 --- a/build/Makefile.global +++ b/build/Makefile.global @@ -89,7 +89,7 @@ PHP_TEST_SHARED_EXTENSIONS = ` \ . $$i; $(top_srcdir)/build/shtool echo -n -- " -d zend_extension=$(top_builddir)/modules/$$dlname"; \ done; \ fi` -PHP_DEPRECATED_DIRECTIVES_REGEX = '^(magic_quotes_(gpc|runtime|sybase)?|(zend_)?extension(_debug)?(_ts)?)[\t\ ]*=' +PHP_DEPRECATED_DIRECTIVES_REGEX = '^(magic_quotes_(gpc|runtime|sybase)?|(zend_)?extension(_debug)?(_ts)?|session\.sid_(length|bits_per_character))[\t\ ]*=' test: all @if test ! -z "$(PHP_EXECUTABLE)" && test -x "$(PHP_EXECUTABLE)"; then \ diff --git a/configure.ac b/configure.ac index 63a30a9def502..0a4056d1bc547 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice. dnl ---------------------------------------------------------------------------- AC_PREREQ([2.68]) -AC_INIT([PHP],[8.4.6-dev],[https://github.com/php/php-src/issues],[php],[https://www.php.net]) +AC_INIT([PHP],[8.4.7],[https://github.com/php/php-src/issues],[php],[https://www.php.net]) AC_CONFIG_SRCDIR([main/php_version.h]) AC_CONFIG_AUX_DIR([build]) AC_PRESERVE_HELP_ORDER diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 4093f7a444cf2..2148048be4fd4 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -4618,7 +4618,9 @@ static zval *date_interval_get_property_ptr_ptr(zend_object *object, zend_string zend_string_equals_literal(name, "days") || zend_string_equals_literal(name, "invert") ) { /* Fallback to read_property. */ - cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + if (cache_slot) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + } ret = NULL; } else { ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); diff --git a/ext/date/tests/gh18304.phpt b/ext/date/tests/gh18304.phpt new file mode 100644 index 0000000000000..4bab058a7ec4a --- /dev/null +++ b/ext/date/tests/gh18304.phpt @@ -0,0 +1,35 @@ +--TEST-- +GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault) +--CREDITS-- +orose-assetgo +--FILE-- +$field += $i; +var_dump($di); +?> +--EXPECT-- +object(DateInterval)#1 (10) { + ["y"]=> + int(0) + ["m"]=> + int(0) + ["d"]=> + int(1) + ["h"]=> + int(0) + ["i"]=> + int(0) + ["s"]=> + int(0) + ["f"]=> + float(0) + ["invert"]=> + int(0) + ["days"]=> + bool(false) + ["from_string"]=> + bool(false) +} diff --git a/ext/dba/dba.c b/ext/dba/dba.c index 2205b13dfe050..7982e4255b07c 100644 --- a/ext/dba/dba.c +++ b/ext/dba/dba.c @@ -864,9 +864,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent) } if (!connection->info->lock.fp) { /* stream operation already wrote an error message */ - efree(resource_key); - zval_ptr_dtor(return_value); - RETURN_FALSE; + goto fail; } if (!error && !php_stream_supports_lock(connection->info->lock.fp)) { error = "Stream does not support locking"; @@ -885,9 +883,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent) } if (!connection->info->fp) { /* stream operation already wrote an error message */ - efree(resource_key); - zval_ptr_dtor(return_value); - RETURN_FALSE; + goto fail; } if (hptr->flags & (DBA_NO_APPEND|DBA_CAST_AS_FD)) { /* Needed because some systems do not allow to write to the original @@ -895,9 +891,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent) */ if (SUCCESS != php_stream_cast(connection->info->fp, PHP_STREAM_AS_FD, (void*)&connection->info->fd, 1)) { php_error_docref(NULL, E_WARNING, "Could not cast stream"); - efree(resource_key); - zval_ptr_dtor(return_value); - RETURN_FALSE; + goto fail; #ifdef F_SETFL } else if (modenr == DBA_CREAT) { int flags = fcntl(connection->info->fd, F_GETFL); @@ -931,9 +925,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent) php_error_docref(NULL, E_WARNING, "Driver initialization failed for handler: %s", hptr->name); } } - efree(resource_key); - zval_ptr_dtor(return_value); - RETURN_FALSE; + goto fail; } connection->info->hnd = hptr; @@ -942,6 +934,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent) if (zend_register_persistent_resource(resource_key, resource_key_len, connection->info, le_pdb) == NULL) { php_error_docref(NULL, E_WARNING, "Could not register persistent resource"); efree(resource_key); + dba_close_connection(connection); zval_ptr_dtor(return_value); RETURN_FALSE; } @@ -949,6 +942,14 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent) zend_hash_add_new(&DBA_G(connections), connection->hash, return_value); efree(resource_key); + return; +fail: + efree(resource_key); + zend_string_release_ex(connection->hash, persistent); + dba_close_info(connection->info); + connection->info = NULL; + zval_ptr_dtor(return_value); + RETURN_FALSE; } /* }}} */ diff --git a/ext/dba/tests/gh18247.phpt b/ext/dba/tests/gh18247.phpt new file mode 100644 index 0000000000000..bb757452321d9 --- /dev/null +++ b/ext/dba/tests/gh18247.phpt @@ -0,0 +1,12 @@ +--TEST-- +GH-18247: dba_open() memory leak on invalid path +--EXTENSIONS-- +dba +--FILE-- + +--EXPECTF-- + +Warning: dba_popen(/inexistent): Failed to open stream: No such file or directory in %s on line %d +bool(false) diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c index 819d22712ebfc..3c8d6e15cea20 100644 --- a/ext/dom/php_dom.c +++ b/ext/dom/php_dom.c @@ -362,7 +362,9 @@ static zval *dom_get_property_ptr_ptr(zend_object *object, zend_string *name, in return zend_std_get_property_ptr_ptr(object, name, type, cache_slot); } - cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + if (cache_slot) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + } return NULL; } diff --git a/ext/dom/tests/gh18304.phpt b/ext/dom/tests/gh18304.phpt new file mode 100644 index 0000000000000..ead44306ff801 --- /dev/null +++ b/ext/dom/tests/gh18304.phpt @@ -0,0 +1,15 @@ +--TEST-- +GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault) +--CREDITS-- +orose-assetgo +--EXTENSIONS-- +dom +--FILE-- +$field .= 'hello'; +var_dump($text->$field); +?> +--EXPECT-- +string(5) "hello" diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c index d0d60c00ebc63..7da3825e30735 100644 --- a/ext/filter/logical_filters.c +++ b/ext/filter/logical_filters.c @@ -762,7 +762,8 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]) { int compressed_pos = -1; int blocks = 0; - int num, n, i; + unsigned int num, n; + int i; char *ipv4; const char *end; int ip4elm[4]; diff --git a/ext/filter/tests/gh18309.phpt b/ext/filter/tests/gh18309.phpt new file mode 100644 index 0000000000000..b541f10883fe6 --- /dev/null +++ b/ext/filter/tests/gh18309.phpt @@ -0,0 +1,10 @@ +--TEST-- +GH-18309 (ipv6 filter integer overflow) +--EXTENSIONS-- +filter +--FILE-- + +--EXPECT-- +bool(false) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index daf1f0c67a421..f7ba5ec1c990b 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -3378,6 +3378,17 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode) im = php_gd_libgdimageptr_from_zval_p(IM); } + // FT_F26Dot6 is a signed long alias + if (ptsize < (double)LONG_MIN / 64 || ptsize > (double)LONG_MAX / 64) { + zend_argument_value_error(2, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, (zend_long)((double)LONG_MIN / 64), (zend_long)((double)LONG_MAX / 64)); + RETURN_THROWS(); + } + + if (UNEXPECTED(!zend_finite(ptsize))) { + zend_argument_value_error(2, "must be finite"); + RETURN_THROWS(); + } + /* convert angle to radians */ angle = angle * (M_PI/180); @@ -3894,6 +3905,26 @@ PHP_FUNCTION(imagecrop) RETURN_THROWS(); } + if ((rect.width > 0 && rect.x > INT_MAX - rect.width)) { + zend_argument_value_error(2, "overflow with \"x\" and \"width\" keys"); + RETURN_THROWS(); + } + + if ((rect.width < 0 && rect.x < INT_MIN - rect.width)) { + zend_argument_value_error(2, "underflow with \"x\" and \"width\" keys"); + RETURN_THROWS(); + } + + if ((rect.height > 0 && rect.y > INT_MAX - rect.height)) { + zend_argument_value_error(2, "overflow with \"y\" and \"height\" keys"); + RETURN_THROWS(); + } + + if ((rect.height < 0 && rect.y < INT_MIN - rect.height)) { + zend_argument_value_error(2, "underflow with \"y\" and \"height\" keys"); + RETURN_THROWS(); + } + im_crop = gdImageCrop(im, &rect); if (im_crop == NULL) { diff --git a/ext/gd/tests/gh18243.phpt b/ext/gd/tests/gh18243.phpt new file mode 100644 index 0000000000000..3235098a3dcc2 --- /dev/null +++ b/ext/gd/tests/gh18243.phpt @@ -0,0 +1,42 @@ +--TEST-- +GH-18243: imagefttext underflow/overflow on $size +--EXTENSIONS-- +gd +--SKIPIF-- + +--FILE-- +getMessage(), PHP_EOL; +} + +try { + imagettftext($im, PHP_INT_MIN, 0, 15, 60, 0, $font, ""); +} catch (\ValueError $e) { + echo $e->getMessage(), PHP_EOL; +} + +try { + imagettftext($im, NAN, 0, 15, 60, 0, $font, ""); +} catch (\ValueError $e) { + echo $e->getMessage(), PHP_EOL; +} + +try { + imagettftext($im, INF, 0, 15, 60, 0, $font, ""); +} catch (\ValueError $e) { + echo $e->getMessage(); +} +?> +--EXPECTF-- +imagettftext(): Argument #2 ($size) must be between %i and %d +imagettftext(): Argument #2 ($size) must be between %i and %d +imagettftext(): Argument #2 ($size) must be finite +imagettftext(): Argument #2 ($size) must be between %i and %d diff --git a/ext/gd/tests/imagecrop_overflow.phpt b/ext/gd/tests/imagecrop_overflow.phpt new file mode 100644 index 0000000000000..3331a6267168a --- /dev/null +++ b/ext/gd/tests/imagecrop_overflow.phpt @@ -0,0 +1,45 @@ +--TEST-- +imagecrop() overflows when the combo x/width or y/height is over INT_MAX or under INT_MIN. +--EXTENSIONS-- +gd +--FILE-- + 2147483647, "y" => 2147483647, "width" => 10, "height" => 10]; + +try { + imagecrop($img, $arr); +} catch (\ValueError $e) { + echo $e->getMessage() . PHP_EOL; +} + +$arr = ["x" => -2147483648, "y" => 0, "width" => -10, "height" => 10]; + +try { + imagecrop($img, $arr); +} catch (\ValueError $e) { + echo $e->getMessage() . PHP_EOL; +} + +$arr = ["x" => 1, "y" => 2147483647, "width" => 10, "height" => 10]; + +try { + imagecrop($img, $arr); +} catch (\ValueError $e) { + echo $e->getMessage() . PHP_EOL; +} + +$arr = ["x" => 1, "y" => -2147483648, "width" => 10, "height" => -10]; + +try { + imagecrop($img, $arr); +} catch (\ValueError $e) { + echo $e->getMessage(); +} +?> +--EXPECT-- +imagecrop(): Argument #2 ($rectangle) overflow with "x" and "width" keys +imagecrop(): Argument #2 ($rectangle) underflow with "x" and "width" keys +imagecrop(): Argument #2 ($rectangle) overflow with "y" and "height" keys +imagecrop(): Argument #2 ($rectangle) underflow with "y" and "height" keys diff --git a/ext/intl/tests/dateformat_format_references.phpt b/ext/intl/tests/dateformat_format_references.phpt index da1a52955f121..576d901edeb82 100644 --- a/ext/intl/tests/dateformat_format_references.phpt +++ b/ext/intl/tests/dateformat_format_references.phpt @@ -1,5 +1,7 @@ --TEST-- Fix dateformat_format() with array argument with values as references. +--EXTENSIONS-- +intl --SKIPIF-- a = $test->b = "hello"; + +$rawOffset =& $test->a; +$dstOffset =& $test->b; +intltz_get_offset($tz, 0.0, true, $rawOffset, $dstOffset); +var_dump($test); +?> +--EXPECT-- +object(Test)#2 (2) { + ["a"]=> + &string(7) "3600000" + ["b"]=> + &string(1) "0" +} diff --git a/ext/intl/timezone/timezone_methods.cpp b/ext/intl/timezone/timezone_methods.cpp index ebde6578a990a..13f50699f0729 100644 --- a/ext/intl/timezone/timezone_methods.cpp +++ b/ext/intl/timezone/timezone_methods.cpp @@ -440,7 +440,7 @@ U_CFUNC PHP_FUNCTION(intltz_get_offset) TIMEZONE_METHOD_INIT_VARS; if (zend_parse_method_parameters(ZEND_NUM_ARGS(), getThis(), - "Odbz/z/", &object, TimeZone_ce_ptr, &date, &local, &rawOffsetArg, + "Odbzz", &object, TimeZone_ce_ptr, &date, &local, &rawOffsetArg, &dstOffsetArg) == FAILURE) { RETURN_THROWS(); } @@ -452,10 +452,8 @@ U_CFUNC PHP_FUNCTION(intltz_get_offset) INTL_METHOD_CHECK_STATUS(to, "error obtaining offset"); - zval_ptr_dtor(rawOffsetArg); - ZVAL_LONG(rawOffsetArg, rawOffset); - zval_ptr_dtor(dstOffsetArg); - ZVAL_LONG(dstOffsetArg, dstOffset); + ZEND_TRY_ASSIGN_REF_LONG(rawOffsetArg, rawOffset); + ZEND_TRY_ASSIGN_REF_LONG(dstOffsetArg, dstOffset); RETURN_TRUE; } diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c index 20245ed56961b..ee3c3c3f9325a 100644 --- a/ext/ldap/ldap.c +++ b/ext/ldap/ldap.c @@ -834,6 +834,21 @@ static PHP_GINIT_FUNCTION(ldap) } /* }}} */ +/* {{{ PHP_RINIT_FUNCTION */ +static PHP_RINIT_FUNCTION(ldap) +{ +#if defined(COMPILE_DL_LDAP) && defined(ZTS) + ZEND_TSRMLS_CACHE_UPDATE(); +#endif + + /* needed before first connect and after TLS option changes */ + LDAPG(tls_newctx) = true; + + return SUCCESS; +} +/* }}} */ + + /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(ldap) { @@ -989,6 +1004,20 @@ PHP_FUNCTION(ldap_connect) snprintf( url, urllen, "ldap://%s:" ZEND_LONG_FMT, host, port ); } +#ifdef LDAP_OPT_X_TLS_NEWCTX + if (LDAPG(tls_newctx) && url && !strncmp(url, "ldaps:", 6)) { + int val = 0; + + /* ensure all pending TLS options are applied in a new context */ + if (ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, &val) != LDAP_OPT_SUCCESS) { + zval_ptr_dtor(return_value); + php_error_docref(NULL, E_WARNING, "Could not create new security context"); + RETURN_FALSE; + } + LDAPG(tls_newctx) = false; + } +#endif + #ifdef LDAP_API_FEATURE_X_OPENLDAP /* ldap_init() is deprecated, use ldap_initialize() instead. */ @@ -2758,12 +2787,12 @@ PHP_FUNCTION(ldap_modify_batch) ldap_mods = safe_emalloc((num_mods+1), sizeof(LDAPMod *), 0); /* for each modification */ - for (i = 0; i < num_mods; i++) { + i = 0; + ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(mods), fetched) { /* allocate the modification struct */ ldap_mods[i] = safe_emalloc(1, sizeof(LDAPMod), 0); /* fetch the relevant data */ - fetched = zend_hash_index_find(Z_ARRVAL_P(mods), i); mod = fetched; _ldap_hash_fetch(mod, LDAP_MODIFY_BATCH_ATTRIB, &attrib); @@ -2828,7 +2857,9 @@ PHP_FUNCTION(ldap_modify_batch) /* NULL-terminate values */ ldap_mods[i]->mod_bvalues[num_modvals] = NULL; } - } + + i++; + } ZEND_HASH_FOREACH_END(); /* NULL-terminate modifications */ ldap_mods[num_mods] = NULL; @@ -3177,15 +3208,7 @@ PHP_FUNCTION(ldap_set_option) } switch (option) { - /* options with int value */ - case LDAP_OPT_DEREF: - case LDAP_OPT_SIZELIMIT: - case LDAP_OPT_TIMELIMIT: - case LDAP_OPT_PROTOCOL_VERSION: - case LDAP_OPT_ERROR_NUMBER: -#ifdef LDAP_OPT_DEBUG_LEVEL - case LDAP_OPT_DEBUG_LEVEL: -#endif + /* TLS options with int value */ #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT case LDAP_OPT_X_TLS_REQUIRE_CERT: #endif @@ -3197,6 +3220,18 @@ PHP_FUNCTION(ldap_set_option) #endif #ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX case LDAP_OPT_X_TLS_PROTOCOL_MAX: +#endif + /* TLS option change requires resetting TLS context */ + LDAPG(tls_newctx) = true; + ZEND_FALLTHROUGH; + /* other options with int value */ + case LDAP_OPT_DEREF: + case LDAP_OPT_SIZELIMIT: + case LDAP_OPT_TIMELIMIT: + case LDAP_OPT_PROTOCOL_VERSION: + case LDAP_OPT_ERROR_NUMBER: +#ifdef LDAP_OPT_DEBUG_LEVEL + case LDAP_OPT_DEBUG_LEVEL: #endif #ifdef LDAP_OPT_X_KEEPALIVE_IDLE case LDAP_OPT_X_KEEPALIVE_IDLE: @@ -3253,17 +3288,7 @@ PHP_FUNCTION(ldap_set_option) } } break; #endif - /* options with string value */ - case LDAP_OPT_ERROR_STRING: -#ifdef LDAP_OPT_HOST_NAME - case LDAP_OPT_HOST_NAME: -#endif -#ifdef HAVE_LDAP_SASL - case LDAP_OPT_X_SASL_MECH: - case LDAP_OPT_X_SASL_REALM: - case LDAP_OPT_X_SASL_AUTHCID: - case LDAP_OPT_X_SASL_AUTHZID: -#endif + /* TLS options with string value */ #if (LDAP_API_VERSION > 2000) case LDAP_OPT_X_TLS_CACERTDIR: case LDAP_OPT_X_TLS_CACERTFILE: @@ -3277,6 +3302,20 @@ PHP_FUNCTION(ldap_set_option) #endif #ifdef LDAP_OPT_X_TLS_DHFILE case LDAP_OPT_X_TLS_DHFILE: +#endif + /* TLS option change requires resetting TLS context */ + LDAPG(tls_newctx) = true; + ZEND_FALLTHROUGH; + /* other options with string value */ + case LDAP_OPT_ERROR_STRING: +#ifdef LDAP_OPT_HOST_NAME + case LDAP_OPT_HOST_NAME: +#endif +#ifdef HAVE_LDAP_SASL + case LDAP_OPT_X_SASL_MECH: + case LDAP_OPT_X_SASL_REALM: + case LDAP_OPT_X_SASL_AUTHCID: + case LDAP_OPT_X_SASL_AUTHZID: #endif #ifdef LDAP_OPT_MATCHED_DN case LDAP_OPT_MATCHED_DN: @@ -3696,6 +3735,9 @@ PHP_FUNCTION(ldap_start_tls) zval *link; ldap_linkdata *ld; int rc, protocol = LDAP_VERSION3; +#ifdef LDAP_OPT_X_TLS_NEWCTX + int val = 0; +#endif if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &link, ldap_link_ce) != SUCCESS) { RETURN_THROWS(); @@ -3705,13 +3747,16 @@ PHP_FUNCTION(ldap_start_tls) VERIFY_LDAP_LINK_CONNECTED(ld); if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) || +#ifdef LDAP_OPT_X_TLS_NEWCTX + (LDAPG(tls_newctx) && (rc = ldap_set_option(ld->link, LDAP_OPT_X_TLS_NEWCTX, &val)) != LDAP_OPT_SUCCESS) || +#endif ((rc = ldap_start_tls_s(ld->link, NULL, NULL)) != LDAP_SUCCESS) ) { php_error_docref(NULL, E_WARNING,"Unable to start TLS: %s", ldap_err2string(rc)); RETURN_FALSE; - } else { - RETURN_TRUE; } + LDAPG(tls_newctx) = false; + RETURN_TRUE; } /* }}} */ #endif @@ -4233,7 +4278,7 @@ zend_module_entry ldap_module_entry = { /* {{{ */ ext_functions, PHP_MINIT(ldap), PHP_MSHUTDOWN(ldap), - NULL, + PHP_RINIT(ldap), NULL, PHP_MINFO(ldap), PHP_LDAP_VERSION, diff --git a/ext/ldap/php_ldap.h b/ext/ldap/php_ldap.h index 5581f5b7671a8..a8c4a77af8010 100644 --- a/ext/ldap/php_ldap.h +++ b/ext/ldap/php_ldap.h @@ -39,6 +39,7 @@ PHP_MINFO_FUNCTION(ldap); ZEND_BEGIN_MODULE_GLOBALS(ldap) zend_long num_links; zend_long max_links; + bool tls_newctx; /* create new TLS context before connect */ ZEND_END_MODULE_GLOBALS(ldap) #if defined(ZTS) && defined(COMPILE_DL_LDAP) diff --git a/ext/ldap/tests/ldap_modify_batch_error.phpt b/ext/ldap/tests/ldap_modify_batch_error.phpt index bce62cafb2791..0ac093b4a0341 100644 --- a/ext/ldap/tests/ldap_modify_batch_error.phpt +++ b/ext/ldap/tests/ldap_modify_batch_error.phpt @@ -59,6 +59,16 @@ $mods = array( ) ); +var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods)); + +// high key with invalid attribute type +$mods = [ + 99999 => [ + "attrib" => "weirdAttribute", + "modtype" => LDAP_MODIFY_BATCH_ADD, + "values" => ["value1"], + ], +]; var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods)); ?> --CLEAN-- @@ -81,3 +91,6 @@ bool(false) Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d bool(false) + +Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d +bool(false) diff --git a/ext/ldap/tests/ldap_start_tls_basic.phpt b/ext/ldap/tests/ldap_start_tls_basic.phpt index 4dbdce034369f..b8816de9ac4f5 100644 --- a/ext/ldap/tests/ldap_start_tls_basic.phpt +++ b/ext/ldap/tests/ldap_start_tls_basic.phpt @@ -9,11 +9,28 @@ ldap --FILE-- --EXPECT-- +bool(false) bool(true) +bool(false) diff --git a/ext/ldap/tests/ldaps_basic.phpt b/ext/ldap/tests/ldaps_basic.phpt new file mode 100644 index 0000000000000..7a1a1383436d7 --- /dev/null +++ b/ext/ldap/tests/ldaps_basic.phpt @@ -0,0 +1,55 @@ +--TEST-- +ldap_connect() - Basic ldaps test +--EXTENSIONS-- +ldap +--XFAIL-- +Passes locally but fails on CI - need investigation (configuration ?) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(false) +bool(true) +bool(true) +bool(false) +bool(false) diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c index 6c8b62ed1ea3d..5ad67d1244987 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c @@ -769,13 +769,18 @@ static xmlParserInputPtr _php_libxml_external_entity_loader(const char *URL, is_string: resource = Z_STRVAL(retval); } else if (Z_TYPE(retval) == IS_RESOURCE) { - php_stream *stream; - php_stream_from_zval_no_verify(stream, &retval); - if (stream == NULL) { - php_libxml_ctx_error(context, - "The user entity loader callback '%s' has returned a " - "resource, but it is not a stream", - ZSTR_VAL(LIBXML(entity_loader_callback).function_handler->common.function_name)); + php_stream *stream = (php_stream*)zend_fetch_resource2_ex(&retval, NULL, php_file_le_stream(), php_file_le_pstream()); + if (UNEXPECTED(stream == NULL)) { + zval callable; + zend_get_callable_zval_from_fcc(&LIBXML(entity_loader_callback), &callable); + zend_string *callable_name = zend_get_callable_name(&callable); + zend_string *func_name = get_active_function_or_method_name(); + zend_type_error( + "%s(): The user entity loader callback \"%s\" has returned a resource, but it is not a stream", + ZSTR_VAL(func_name), ZSTR_VAL(callable_name)); + zend_string_release(func_name); + zend_string_release(callable_name); + zval_ptr_dtor(&callable); } else { /* TODO: allow storing the encoding in the stream context? */ xmlCharEncoding enc = XML_CHAR_ENCODING_NONE; diff --git a/ext/libxml/tests/libxml_get_external_entity_loader_error_callback_name.phpt b/ext/libxml/tests/libxml_get_external_entity_loader_error_callback_name.phpt index 20e783e279848..3dca273d5959c 100644 --- a/ext/libxml/tests/libxml_get_external_entity_loader_error_callback_name.phpt +++ b/ext/libxml/tests/libxml_get_external_entity_loader_error_callback_name.phpt @@ -37,4 +37,4 @@ try { ?> --EXPECT-- -string(73) "DOMDocument::validate(): supplied resource is not a valid stream resource" +string(122) "DOMDocument::validate(): The user entity loader callback "Handler::handle" has returned a resource, but it is not a stream" diff --git a/ext/opcache/jit/ir/ir_fold.h b/ext/opcache/jit/ir/ir_fold.h index c7745a8c68723..78f3ca0c01e5f 100644 --- a/ext/opcache/jit/ir/ir_fold.h +++ b/ext/opcache/jit/ir/ir_fold.h @@ -1859,8 +1859,39 @@ IR_FOLD(SUB(ADD, ADD)) } // IR_FOLD(SUB(NEG, CONST)) TODO: -a - b => -b - a -// IR_FOLD(MUL(NEG, CONST)) TODO: -a * b => a * -b -// IR_FOLD(DIV(NEG, CONST)) TODO: -a / b => a / -b + +IR_FOLD(MUL(NEG, C_I8)) +IR_FOLD(MUL(NEG, C_I16)) +IR_FOLD(MUL(NEG, C_I32)) +IR_FOLD(MUL(NEG, C_I64)) +IR_FOLD(DIV(NEG, C_I8)) +IR_FOLD(DIV(NEG, C_I16)) +IR_FOLD(DIV(NEG, C_I32)) +IR_FOLD(DIV(NEG, C_I64)) +{ + op1 = op1_insn->op1; + val.i64 = -op2_insn->val.i64; + op2 = ir_const(ctx, val, op2_insn->type); + IR_FOLD_RESTART; +} + +IR_FOLD(MUL(NEG, C_FLOAT)) +IR_FOLD(DIV(NEG, C_FLOAT)) +{ + op1 = op1_insn->op1; + val.f = -op2_insn->val.f; + op2 = ir_const(ctx, val, op2_insn->type); + IR_FOLD_RESTART; +} + +IR_FOLD(MUL(NEG, C_DOUBLE)) +IR_FOLD(DIV(NEG, C_DOUBLE)) +{ + op1 = op1_insn->op1; + val.d = -op2_insn->val.d; + op2 = ir_const(ctx, val, op2_insn->type); + IR_FOLD_RESTART; +} IR_FOLD(MUL(_, C_U8)) IR_FOLD(MUL(_, C_U16)) diff --git a/ext/opcache/jit/ir/ir_sccp.c b/ext/opcache/jit/ir/ir_sccp.c index af039aaef829b..8480861f91fe7 100644 --- a/ext/opcache/jit/ir/ir_sccp.c +++ b/ext/opcache/jit/ir/ir_sccp.c @@ -1517,7 +1517,7 @@ static bool ir_may_promote_f2d(ir_ctx *ctx, ir_ref ref) return 0; } -static ir_ref ir_promote_d2f(ir_ctx *ctx, ir_ref ref, ir_ref use) +static ir_ref ir_promote_d2f(ir_ctx *ctx, ir_ref ref, ir_ref use, ir_bitqueue *worklist) { ir_insn *insn = &ctx->ir_base[ref]; uint32_t count; @@ -1526,6 +1526,7 @@ static ir_ref ir_promote_d2f(ir_ctx *ctx, ir_ref ref, ir_ref use) if (IR_IS_CONST_REF(ref)) { return ir_const_float(ctx, (float)insn->val.d); } else { + ir_bitqueue_add(worklist, ref); switch (insn->op) { case IR_FP2FP: count = ctx->use_lists[ref].count; @@ -1555,7 +1556,7 @@ static ir_ref ir_promote_d2f(ir_ctx *ctx, ir_ref ref, ir_ref use) // return ref; case IR_NEG: case IR_ABS: - insn->op1 = ir_promote_d2f(ctx, insn->op1, ref); + insn->op1 = ir_promote_d2f(ctx, insn->op1, ref, worklist); insn->type = IR_FLOAT; return ref; case IR_ADD: @@ -1565,10 +1566,10 @@ static ir_ref ir_promote_d2f(ir_ctx *ctx, ir_ref ref, ir_ref use) case IR_MIN: case IR_MAX: if (insn->op1 == insn->op2) { - insn->op2 = insn->op1 = ir_promote_d2f(ctx, insn->op1, ref); + insn->op2 = insn->op1 = ir_promote_d2f(ctx, insn->op1, ref, worklist); } else { - insn->op1 = ir_promote_d2f(ctx, insn->op1, ref); - insn->op2 = ir_promote_d2f(ctx, insn->op2, ref); + insn->op1 = ir_promote_d2f(ctx, insn->op1, ref, worklist); + insn->op2 = ir_promote_d2f(ctx, insn->op2, ref, worklist); } insn->type = IR_FLOAT; return ref; @@ -1580,7 +1581,7 @@ static ir_ref ir_promote_d2f(ir_ctx *ctx, ir_ref ref, ir_ref use) return ref; } -static ir_ref ir_promote_f2d(ir_ctx *ctx, ir_ref ref, ir_ref use) +static ir_ref ir_promote_f2d(ir_ctx *ctx, ir_ref ref, ir_ref use, ir_bitqueue *worklist) { ir_insn *insn = &ctx->ir_base[ref]; uint32_t count; @@ -1590,6 +1591,7 @@ static ir_ref ir_promote_f2d(ir_ctx *ctx, ir_ref ref, ir_ref use) if (IR_IS_CONST_REF(ref)) { return ir_const_double(ctx, (double)insn->val.f); } else { + ir_bitqueue_add(worklist, ref); switch (insn->op) { case IR_FP2FP: count = ctx->use_lists[ref].count; @@ -1628,7 +1630,7 @@ static ir_ref ir_promote_f2d(ir_ctx *ctx, ir_ref ref, ir_ref use) return ref; case IR_NEG: case IR_ABS: - insn->op1 = ir_promote_f2d(ctx, insn->op1, ref); + insn->op1 = ir_promote_f2d(ctx, insn->op1, ref, worklist); insn->type = IR_DOUBLE; return ref; case IR_ADD: @@ -1638,10 +1640,10 @@ static ir_ref ir_promote_f2d(ir_ctx *ctx, ir_ref ref, ir_ref use) case IR_MIN: case IR_MAX: if (insn->op1 == insn->op2) { - insn->op2 = insn->op1 = ir_promote_f2d(ctx, insn->op1, ref); + insn->op2 = insn->op1 = ir_promote_f2d(ctx, insn->op1, ref, worklist); } else { - insn->op1 = ir_promote_f2d(ctx, insn->op1, ref); - insn->op2 = ir_promote_f2d(ctx, insn->op2, ref); + insn->op1 = ir_promote_f2d(ctx, insn->op1, ref, worklist); + insn->op2 = ir_promote_f2d(ctx, insn->op2, ref, worklist); } insn->type = IR_DOUBLE; return ref; @@ -1707,7 +1709,7 @@ static bool ir_may_promote_trunc(ir_ctx *ctx, ir_type type, ir_ref ref) } } } - for (p = insn->ops + 1, n = insn->inputs_count - 1; n > 0; p++, n--) { + for (p = insn->ops + 2, n = insn->inputs_count - 1; n > 0; p++, n--) { input = *p; if (input != ref) { if (!ir_may_promote_trunc(ctx, type, input)) { @@ -1723,7 +1725,7 @@ static bool ir_may_promote_trunc(ir_ctx *ctx, ir_type type, ir_ref ref) return 0; } -static ir_ref ir_promote_i2i(ir_ctx *ctx, ir_type type, ir_ref ref, ir_ref use) +static ir_ref ir_promote_i2i(ir_ctx *ctx, ir_type type, ir_ref ref, ir_ref use, ir_bitqueue *worklist) { ir_insn *insn = &ctx->ir_base[ref]; uint32_t count; @@ -1732,6 +1734,7 @@ static ir_ref ir_promote_i2i(ir_ctx *ctx, ir_type type, ir_ref ref, ir_ref use) if (IR_IS_CONST_REF(ref)) { return ir_const(ctx, insn->val, type); } else { + ir_bitqueue_add(worklist, ref); switch (insn->op) { case IR_ZEXT: case IR_SEXT: @@ -1776,7 +1779,7 @@ static ir_ref ir_promote_i2i(ir_ctx *ctx, ir_type type, ir_ref ref, ir_ref use) case IR_NEG: case IR_ABS: case IR_NOT: - insn->op1 = ir_promote_i2i(ctx, type, insn->op1, ref); + insn->op1 = ir_promote_i2i(ctx, type, insn->op1, ref, worklist); insn->type = type; return ref; case IR_ADD: @@ -1789,10 +1792,10 @@ static ir_ref ir_promote_i2i(ir_ctx *ctx, ir_type type, ir_ref ref, ir_ref use) case IR_XOR: case IR_SHL: if (insn->op1 == insn->op2) { - insn->op2 = insn->op1 = ir_promote_i2i(ctx, type, insn->op1, ref); + insn->op2 = insn->op1 = ir_promote_i2i(ctx, type, insn->op1, ref, worklist); } else { - insn->op1 = ir_promote_i2i(ctx, type, insn->op1, ref); - insn->op2 = ir_promote_i2i(ctx, type, insn->op2, ref); + insn->op1 = ir_promote_i2i(ctx, type, insn->op1, ref, worklist); + insn->op2 = ir_promote_i2i(ctx, type, insn->op2, ref, worklist); } insn->type = type; return ref; @@ -1804,18 +1807,18 @@ static ir_ref ir_promote_i2i(ir_ctx *ctx, ir_type type, ir_ref ref, ir_ref use) // TODO: ??? case IR_COND: if (insn->op2 == insn->op3) { - insn->op3 = insn->op2 = ir_promote_i2i(ctx, type, insn->op2, ref); + insn->op3 = insn->op2 = ir_promote_i2i(ctx, type, insn->op2, ref, worklist); } else { - insn->op2 = ir_promote_i2i(ctx, type, insn->op2, ref); - insn->op3 = ir_promote_i2i(ctx, type, insn->op3, ref); + insn->op2 = ir_promote_i2i(ctx, type, insn->op2, ref, worklist); + insn->op3 = ir_promote_i2i(ctx, type, insn->op3, ref, worklist); } insn->type = type; return ref; case IR_PHI: - for (p = insn->ops + 1, n = insn->inputs_count - 1; n > 0; p++, n--) { + for (p = insn->ops + 2, n = insn->inputs_count - 1; n > 0; p++, n--) { input = *p; if (input != ref) { - *p = ir_promote_i2i(ctx, type, input, ref); + *p = ir_promote_i2i(ctx, type, input, ref, worklist); } } insn->type = type; @@ -1906,7 +1909,7 @@ static uint32_t _ir_estimated_control(ir_ctx *ctx, ir_ref val) } IR_ASSERT(ir_op_flags[insn->op] & IR_OP_FLAG_DATA); - if (IR_OPND_KIND(ir_op_flags[insn->op], 1) & IR_OPND_CONTROL_DEP) { + if (IR_OPND_KIND(ir_op_flags[insn->op], 1) == IR_OPND_CONTROL_DEP) { return insn->op1; } @@ -3479,14 +3482,14 @@ void ir_iter_opt(ir_ctx *ctx, ir_bitqueue *worklist) case IR_FP2FP: if (insn->type == IR_FLOAT) { if (ir_may_promote_d2f(ctx, insn->op1)) { - ir_ref ref = ir_promote_d2f(ctx, insn->op1, i); + ir_ref ref = ir_promote_d2f(ctx, insn->op1, i, worklist); insn->op1 = ref; ir_iter_replace_insn(ctx, i, ref, worklist); break; } } else { if (ir_may_promote_f2d(ctx, insn->op1)) { - ir_ref ref = ir_promote_f2d(ctx, insn->op1, i); + ir_ref ref = ir_promote_f2d(ctx, insn->op1, i, worklist); insn->op1 = ref; ir_iter_replace_insn(ctx, i, ref, worklist); break; @@ -3496,17 +3499,17 @@ void ir_iter_opt(ir_ctx *ctx, ir_bitqueue *worklist) case IR_FP2INT: if (ctx->ir_base[insn->op1].type == IR_DOUBLE) { if (ir_may_promote_d2f(ctx, insn->op1)) { - insn->op1 = ir_promote_d2f(ctx, insn->op1, i); + insn->op1 = ir_promote_d2f(ctx, insn->op1, i, worklist); } } else { if (ir_may_promote_f2d(ctx, insn->op1)) { - insn->op1 = ir_promote_f2d(ctx, insn->op1, i); + insn->op1 = ir_promote_f2d(ctx, insn->op1, i, worklist); } } goto folding; case IR_TRUNC: if (ir_may_promote_trunc(ctx, insn->type, insn->op1)) { - ir_ref ref = ir_promote_i2i(ctx, insn->type, insn->op1, i); + ir_ref ref = ir_promote_i2i(ctx, insn->type, insn->op1, i, worklist); insn->op1 = ref; ir_iter_replace_insn(ctx, i, ref, worklist); break; diff --git a/ext/opcache/jit/ir/ir_x86.dasc b/ext/opcache/jit/ir/ir_x86.dasc index 3b6cf156ad909..d01a8c41359aa 100644 --- a/ext/opcache/jit/ir/ir_x86.dasc +++ b/ext/opcache/jit/ir/ir_x86.dasc @@ -650,6 +650,26 @@ IR_ALWAYS_INLINE ir_mem IR_MEM(ir_reg base, int32_t offset, ir_reg index, int32_ || } |.endmacro +/* Like ASM_REG_IMM_OP, but op1 accepts r16,r32,r64 (not r8) */ +|.macro ASM_REG16_IMM_OP, op, type, op1, op2 +|| switch (ir_type_size[type]) { +|| default: +|| IR_ASSERT(0); +|| case 1: +|| case 2: +| op Rw(op1), (op2 & 0xffff) +|| break; +|| case 4: +| op Rd(op1), op2 +|| break; +|.if X64 +|| case 8: +| op Rq(op1), op2 +|| break; +|.endif +|| } +|.endmacro + |.macro ASM_MEM_REG_OP, op, type, op1, op2 | ASM_EXPAND_OP1_MEM ASM_EXPAND_TYPE_MEM_REG, op, type, op1, op2 |.endmacro @@ -1003,6 +1023,8 @@ const char *ir_reg_name(int8_t reg, ir_type type) _(LEA_SI_B) \ _(LEA_B_SI_O) \ _(LEA_SI_B_O) \ + _(LEA_SYM_O) \ + _(LEA_O_SYM) \ _(INC) \ _(DEC) \ _(MUL_PWR2) \ @@ -1064,6 +1086,10 @@ const char *ir_reg_name(int8_t reg, ir_type type) _(SSE_CEIL) \ _(SSE_TRUNC) \ _(SSE_NEARBYINT) \ + _(BIT_OP) \ + +#define IR_LEA_FIRST IR_LEA_OB +#define IR_LEA_LAST IR_LEA_O_SYM #define IR_RULE_ENUM(name) IR_ ## name, @@ -1395,6 +1421,7 @@ op2_const: case IR_DIV_PWR2: case IR_OP_INT: case IR_OP_FP: + case IR_BIT_OP: flags = IR_DEF_REUSES_OP1_REG | IR_USE_MUST_BE_IN_REG | IR_OP1_SHOULD_BE_IN_REG; break; case IR_MOD_PWR2: @@ -1584,7 +1611,7 @@ static void ir_match_fuse_addr(ir_ctx *ctx, ir_ref addr_ref) if (!rule) { ctx->rules[addr_ref] = rule = ir_match_insn(ctx, addr_ref); } - if (rule >= IR_LEA_OB && rule <= IR_LEA_SI_B_O) { + if (rule >= IR_LEA_FIRST && rule <= IR_LEA_LAST) { ir_use_list *use_list; ir_ref j; @@ -1972,6 +1999,19 @@ static uint32_t ir_match_insn(ir_ctx *ctx, ir_ref ref) if ((ctx->flags & IR_OPT_CODEGEN) && IR_IS_CONST_REF(insn->op2)) { op2_insn = &ctx->ir_base[insn->op2]; if (IR_IS_CONST_REF(insn->op1)) { + ir_insn *op1_insn = &ctx->ir_base[insn->op1]; + + if (insn->op == IR_ADD + && IR_IS_SYM_CONST(op1_insn->op) + && !IR_IS_SYM_CONST(op2_insn->op) + && IR_IS_SIGNED_32BIT((intptr_t)ir_sym_val(ctx, op1_insn) + (intptr_t)op2_insn->val.i64)) { + return IR_LEA_SYM_O; + } else if (insn->op == IR_ADD + && IR_IS_SYM_CONST(op2_insn->op) + && !IR_IS_SYM_CONST(op1_insn->op) + && IR_IS_SIGNED_32BIT((intptr_t)ir_sym_val(ctx, op2_insn) + (intptr_t)op1_insn->val.i64)) { + return IR_LEA_O_SYM; + } // const // TODO: add support for sym+offset ??? } else if (IR_IS_SYM_CONST(op2_insn->op)) { @@ -2262,6 +2302,9 @@ binop_fp: // return IR_COPY_INT; } else if (op2_insn->val.i64 == -1) { // -1 + } else if (IR_IS_POWER_OF_TWO(op2_insn->val.u64) && !IR_IS_SIGNED_32BIT(op2_insn->val.i64)) { + /* OR(X, PWR2) => BTS */ + return IR_BIT_OP; } } goto binop_int; @@ -2276,6 +2319,9 @@ binop_fp: // 0 } else if (op2_insn->val.i64 == -1) { // return IR_COPY_INT; + } else if (IR_IS_POWER_OF_TWO(~op2_insn->val.u64) && !IR_IS_SIGNED_32BIT(op2_insn->val.i64)) { + /* AND(X, ~PWR2) => BTR */ + return IR_BIT_OP; } } goto binop_int; @@ -3264,7 +3310,11 @@ static void ir_emit_mov_ext(ir_ctx *ctx, ir_type type, ir_reg dst, ir_reg src) | ASM_REG_REG_OP mov, type, dst, src } else if (ir_type_size[type] == 2) { if (IR_IS_TYPE_SIGNED(type)) { - | movsx Rd(dst), Rw(src) + if (dst == IR_REG_RAX && src == IR_REG_RAX) { + | cwde + } else { + | movsx Rd(dst), Rw(src) + } } else { | movzx Rd(dst), Rw(src) } @@ -3311,8 +3361,8 @@ static ir_mem ir_fuse_addr(ir_ctx *ctx, ir_ref root, ir_ref ref) ir_reg base_reg = IR_REG_NONE, index_reg; int32_t offset = 0, scale; - IR_ASSERT(((rule & IR_RULE_MASK) >= IR_LEA_OB && - (rule & IR_RULE_MASK) <= IR_LEA_SI_B_O) || + IR_ASSERT(((rule & IR_RULE_MASK) >= IR_LEA_FIRST && + (rule & IR_RULE_MASK) <= IR_LEA_LAST) || rule == IR_STATIC_ALLOCA); switch (rule & IR_RULE_MASK) { default: @@ -3498,6 +3548,22 @@ static ir_mem ir_fuse_addr(ir_ctx *ctx, ir_ref root, ir_ref ref) op1_insn = &ctx->ir_base[op1_insn->op1]; scale = ctx->ir_base[op1_insn->op2].val.i32; break; + case IR_LEA_SYM_O: + op1_insn = &ctx->ir_base[insn->op1]; + op2_insn = &ctx->ir_base[insn->op2]; + offset = (intptr_t)ir_sym_val(ctx, op1_insn) + (intptr_t)op2_insn->val.i64; + base_reg_ref = index_reg_ref = IR_UNUSED; + scale = 1; + offset_insn = NULL; + break; + case IR_LEA_O_SYM: + op1_insn = &ctx->ir_base[insn->op1]; + op2_insn = &ctx->ir_base[insn->op2]; + offset = (intptr_t)ir_sym_val(ctx, op2_insn) + (intptr_t)op1_insn->val.i64; + base_reg_ref = index_reg_ref = IR_UNUSED; + scale = 1; + offset_insn = NULL; + break; case IR_ALLOCA: offset = IR_SPILL_POS_TO_OFFSET(insn->op3); base_reg = (ctx->flags & IR_USE_FRAME_POINTER) ? IR_REG_FRAME_POINTER : IR_REG_STACK_POINTER; @@ -4303,6 +4369,45 @@ static void ir_emit_mul_div_mod_pwr2(ir_ctx *ctx, ir_ref def, ir_insn *insn) } } +static void ir_emit_bit_op(ir_ctx *ctx, ir_ref def, ir_insn *insn) +{ + ir_backend_data *data = ctx->data; + dasm_State **Dst = &data->dasm_state; + ir_type type = insn->type; + ir_ref op1 = insn->op1; + ir_reg def_reg = IR_REG_NUM(ctx->regs[def][0]); + ir_reg op1_reg = ctx->regs[def][1]; + + IR_ASSERT(IR_IS_CONST_REF(insn->op2)); + IR_ASSERT(!IR_IS_SYM_CONST(ctx->ir_base[insn->op2].op)); + IR_ASSERT(def_reg != IR_REG_NONE); + + if (op1_reg != IR_REG_NONE && IR_REG_SPILLED(op1_reg)) { + op1_reg = IR_REG_NUM(op1_reg); + ir_emit_load(ctx, type, op1_reg, op1); + } + if (def_reg != op1_reg) { + if (op1_reg != IR_REG_NONE) { + ir_emit_mov(ctx, type, def_reg, op1_reg); + } else { + ir_emit_load(ctx, type, def_reg, op1); + } + } + if (insn->op == IR_OR) { + uint32_t bit = IR_LOG2(ctx->ir_base[insn->op2].val.u64); + + | ASM_REG16_IMM_OP, bts, type, def_reg, bit + } else { + IR_ASSERT(insn->op == IR_AND); + uint32_t bit = IR_LOG2(~ctx->ir_base[insn->op2].val.u64); + + | ASM_REG16_IMM_OP, btr, type, def_reg, bit + } + if (IR_REG_SPILLED(ctx->regs[def][0])) { + ir_emit_store(ctx, type, def, def_reg); + } +} + static void ir_emit_sdiv_pwr2(ir_ctx *ctx, ir_ref def, ir_insn *insn) { ir_backend_data *data = ctx->data; @@ -5186,7 +5291,7 @@ static void ir_emit_mul_div_mod(ir_ctx *ctx, ir_ref def, ir_insn *insn) } else if (ir_type_size[type] == 2) { | cwd } else { - | movsx ax, al + | cbw } if (op2_reg != IR_REG_NONE) { | ASM_REG_OP idiv, type, op2_reg @@ -6813,7 +6918,11 @@ static void ir_emit_sext(ir_ctx *ctx, ir_ref def, ir_insn *insn) } if (ir_type_size[src_type] == 1) { if (ir_type_size[dst_type] == 2) { - | movsx Rw(def_reg), Rb(op1_reg) + if (def_reg == IR_REG_RAX && op1_reg == IR_REG_RAX) { + | cbw + } else { + | movsx Rw(def_reg), Rb(op1_reg) + } } else if (ir_type_size[dst_type] == 4) { | movsx Rd(def_reg), Rb(op1_reg) } else { @@ -6825,7 +6934,11 @@ static void ir_emit_sext(ir_ctx *ctx, ir_ref def, ir_insn *insn) } } else if (ir_type_size[src_type] == 2) { if (ir_type_size[dst_type] == 4) { - | movsx Rd(def_reg), Rw(op1_reg) + if (def_reg == IR_REG_RAX && op1_reg == IR_REG_RAX) { + | cwde + } else { + | movsx Rd(def_reg), Rw(op1_reg) + } } else { IR_ASSERT(ir_type_size[dst_type] == 8); IR_ASSERT(sizeof(void*) == 8); @@ -6838,7 +6951,11 @@ static void ir_emit_sext(ir_ctx *ctx, ir_ref def, ir_insn *insn) IR_ASSERT(ir_type_size[dst_type] == 8); IR_ASSERT(sizeof(void*) == 8); |.if X64 - | movsxd Rq(def_reg), Rd(op1_reg) + if (def_reg == IR_REG_RAX && op1_reg == IR_REG_RAX) { + | cdqe + } else { + | movsxd Rq(def_reg), Rd(op1_reg) + } |.endif } } else if (IR_IS_CONST_REF(insn->op1)) { @@ -7203,6 +7320,8 @@ static void ir_emit_int2fp(ir_ctx *ctx, ir_ref def, ir_insn *insn) |.else || if (ir_type_size[src_type] == 1) { | movsx Rd(op1_reg), Rb(op1_reg) +|| } else if (op1_reg == IR_REG_RAX) { + | cwde || } else { | movsx Rd(op1_reg), Rw(op1_reg) || } @@ -8502,7 +8621,11 @@ static void ir_emit_switch(ir_ctx *ctx, uint32_t b, ir_ref def, ir_insn *insn) case 4: |.if X64 if (IR_IS_TYPE_SIGNED(type)) { - | movsxd Ra(op2_reg), Rd(op2_reg) + if (op2_reg == IR_REG_RAX) { + | cdqe + } else { + | movsxd Ra(op2_reg), Rd(op2_reg) + } } else { | mov Rd(op2_reg), Rd(op2_reg) } @@ -10603,6 +10726,8 @@ void *ir_emit_code(ir_ctx *ctx, size_t *size_ptr) case IR_LEA_SI_B: case IR_LEA_B_SI_O: case IR_LEA_SI_B_O: + case IR_LEA_SYM_O: + case IR_LEA_O_SYM: ir_emit_lea(ctx, i, insn->type); break; case IR_MUL_PWR2: @@ -10610,6 +10735,9 @@ void *ir_emit_code(ir_ctx *ctx, size_t *size_ptr) case IR_MOD_PWR2: ir_emit_mul_div_mod_pwr2(ctx, i, insn); break; + case IR_BIT_OP: + ir_emit_bit_op(ctx, i, insn); + break; case IR_SDIV_PWR2: ir_emit_sdiv_pwr2(ctx, i, insn); break; diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c index 2d4ef0bf4fc38..e477cbdb5628b 100644 --- a/ext/opcache/jit/zend_jit.c +++ b/ext/opcache/jit/zend_jit.c @@ -3033,6 +3033,10 @@ void ZEND_FASTCALL zend_jit_hot_func(zend_execute_data *execute_data, const zend op_array->opcodes[i].handler = jit_extension->orig_handlers[i]; } +#ifdef HAVE_GCC_GLOBAL_REGS + EX(opline) = opline; +#endif + /* perform real JIT for this function */ zend_real_jit_func(op_array, NULL, opline, ZEND_JIT_ON_HOT_COUNTERS); } zend_catch { diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c index 7ff6522ba2c4a..e9b1a9f01e184 100644 --- a/ext/opcache/jit/zend_jit_ir.c +++ b/ext/opcache/jit/zend_jit_ir.c @@ -13482,6 +13482,13 @@ static int zend_jit_assign_dim_op(zend_jit_ctx *jit, ref_path = ir_END(); ir_IF_TRUE_cold(if_typed); + if (Z_MODE(op3_addr) == IS_REG) { + zend_jit_addr real_addr = ZEND_ADDR_MEM_ZVAL(ZREG_FP, (opline+1)->op1.var); + if (!zend_jit_spill_store_inv(jit, op3_addr, real_addr, op1_data_info)) { + return 0; + } + op3_addr = real_addr; + } arg2 = jit_ZVAL_ADDR(jit, op3_addr); ir_CALL_3(IR_VOID, ir_CONST_FC_FUNC(zend_jit_assign_op_to_typed_ref), reference, arg2, ir_CONST_FC_FUNC(binary_op)); diff --git a/ext/opcache/tests/jit/gh17190.phpt b/ext/opcache/tests/jit/gh17190.phpt index d4bb4372b9215..9027050ed6897 100644 --- a/ext/opcache/tests/jit/gh17190.phpt +++ b/ext/opcache/tests/jit/gh17190.phpt @@ -7,7 +7,9 @@ opcache.enable=1 opcache.enable_cli=1 opcache.file_update_protection=0 opcache.jit_buffer_size=32M -opcache.jit=function +opcache.jit=1254 +opcache.jit_hot_func=1 +opcache.jit_hot_side_exit=1 --FILE-- +--EXPECT-- +float(-347.3205211468715) diff --git a/ext/opcache/tests/jit/gh18294.phpt b/ext/opcache/tests/jit/gh18294.phpt new file mode 100644 index 0000000000000..a3e99e8e7bf0c --- /dev/null +++ b/ext/opcache/tests/jit/gh18294.phpt @@ -0,0 +1,37 @@ +--TEST-- +GH-18294 (assertion failure zend_jit_ir.c) +--EXTENSIONS-- +opcache +--INI-- +opcache.jit=1152 +opcache.jit_hot_func=1 +opcache.jit_hot_side_exit=1 +--FILE-- +>= $overflow; + } + } + return $fusion; +} +?> +--EXPECT-- +Array +( + [1] => 0 + [2] => 0 + [3] => 0 + [4] => 0 + [5] => 0 + [6] => 0 + [7] => 0 + [8] => 0 +) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index be68216b524a9..de4f20c96d519 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5945,8 +5945,8 @@ PHP_FUNCTION(openssl_pkcs7_read) BIO_get_mem_ptr(bio_out, &bio_buf); ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length); add_index_zval(zout, i, &zcert); - BIO_free(bio_out); } + BIO_free(bio_out); } } @@ -5960,8 +5960,8 @@ PHP_FUNCTION(openssl_pkcs7_read) BIO_get_mem_ptr(bio_out, &bio_buf); ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length); add_index_zval(zout, i, &zcert); - BIO_free(bio_out); } + BIO_free(bio_out); } } @@ -6586,8 +6586,8 @@ PHP_FUNCTION(openssl_cms_read) BIO_get_mem_ptr(bio_out, &bio_buf); ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length); add_index_zval(zout, i, &zcert); - BIO_free(bio_out); } + BIO_free(bio_out); } } @@ -6601,8 +6601,8 @@ PHP_FUNCTION(openssl_cms_read) BIO_get_mem_ptr(bio_out, &bio_buf); ZVAL_STRINGL(&zcert, bio_buf->data, bio_buf->length); add_index_zval(zout, i, &zcert); - BIO_free(bio_out); } + BIO_free(bio_out); } } @@ -7162,6 +7162,7 @@ PHP_FUNCTION(openssl_sign) mdtype = php_openssl_get_evp_md_from_algo(method_long); } if (!mdtype && (!can_default_digest || method_long != 0)) { + EVP_PKEY_free(pkey); php_error_docref(NULL, E_WARNING, "Unknown digest algorithm"); RETURN_FALSE; } @@ -8156,11 +8157,10 @@ PHP_OPENSSL_API zend_string* php_openssl_random_pseudo_bytes(zend_long buffer_le PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(buffer_length, length); PHP_OPENSSL_RAND_ADD_TIME(); if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) { + php_openssl_store_errors(); zend_string_release_ex(buffer, 0); zend_throw_exception(zend_ce_exception, "Error reading from source device", 0); return NULL; - } else { - php_openssl_store_errors(); } return buffer; @@ -8177,17 +8177,15 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) RETURN_THROWS(); } - if (zstrong_result_returned) { - ZEND_TRY_ASSIGN_REF_FALSE(zstrong_result_returned); - } - if ((buffer = php_openssl_random_pseudo_bytes(buffer_length))) { ZSTR_VAL(buffer)[buffer_length] = 0; RETVAL_NEW_STR(buffer); - } - if (zstrong_result_returned) { - ZEND_TRY_ASSIGN_REF_TRUE(zstrong_result_returned); + if (zstrong_result_returned) { + ZEND_TRY_ASSIGN_REF_TRUE(zstrong_result_returned); + } + } else if (zstrong_result_returned) { + ZEND_TRY_ASSIGN_REF_FALSE(zstrong_result_returned); } } /* }}} */ diff --git a/ext/openssl/tests/openssl_sign_invalid_algorithm.phpt b/ext/openssl/tests/openssl_sign_invalid_algorithm.phpt new file mode 100644 index 0000000000000..c669a373a1079 --- /dev/null +++ b/ext/openssl/tests/openssl_sign_invalid_algorithm.phpt @@ -0,0 +1,18 @@ +--TEST-- +openssl_sign: invalid algorithm +--EXTENSIONS-- +openssl +--FILE-- + +--EXPECTF-- +Warning: openssl_sign(): Unknown digest algorithm in %s on line %d diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c index 006e49461f646..9ba82e822b676 100644 --- a/ext/pdo/pdo_stmt.c +++ b/ext/pdo/pdo_stmt.c @@ -2489,9 +2489,10 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name ZEND_IGNORE_VALUE(object); ZEND_IGNORE_VALUE(name); ZEND_IGNORE_VALUE(type); - ZEND_IGNORE_VALUE(cache_slot); - cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + if (cache_slot) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + } return NULL; } diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c index 136483a149696..259ed53af98a8 100644 --- a/ext/pdo_firebird/firebird_driver.c +++ b/ext/pdo_firebird/firebird_driver.c @@ -594,18 +594,19 @@ static void firebird_handle_closer(pdo_dbh_t *dbh) /* {{{ */ } H->in_manually_txn = 0; - if (isc_detach_database(H->isc_status, &H->db)) { + /* isc_detach_database returns 0 on success, 1 on failure. */ + if (H->db && isc_detach_database(H->isc_status, &H->db)) { php_firebird_error(dbh); } if (H->date_format) { - efree(H->date_format); + pefree(H->date_format, dbh->is_persistent); } if (H->time_format) { - efree(H->time_format); + pefree(H->time_format, dbh->is_persistent); } if (H->timestamp_format) { - efree(H->timestamp_format); + pefree(H->timestamp_format, dbh->is_persistent); } if (H->einfo.errmsg) { @@ -1091,9 +1092,10 @@ static bool pdo_firebird_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *val return false; } if (H->date_format) { - efree(H->date_format); + pefree(H->date_format, dbh->is_persistent); + H->date_format = NULL; } - spprintf(&H->date_format, 0, "%s", ZSTR_VAL(str)); + H->date_format = pestrndup(ZSTR_VAL(str), ZSTR_LEN(str),dbh->is_persistent); zend_string_release_ex(str, 0); } return true; @@ -1105,9 +1107,10 @@ static bool pdo_firebird_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *val return false; } if (H->time_format) { - efree(H->time_format); + pefree(H->time_format, dbh->is_persistent); + H->time_format = NULL; } - spprintf(&H->time_format, 0, "%s", ZSTR_VAL(str)); + H->time_format = pestrndup(ZSTR_VAL(str), ZSTR_LEN(str),dbh->is_persistent); zend_string_release_ex(str, 0); } return true; @@ -1119,9 +1122,10 @@ static bool pdo_firebird_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *val return false; } if (H->timestamp_format) { - efree(H->timestamp_format); + pefree(H->timestamp_format, dbh->is_persistent); + H->timestamp_format = NULL; } - spprintf(&H->timestamp_format, 0, "%s", ZSTR_VAL(str)); + H->timestamp_format = pestrndup(ZSTR_VAL(str), ZSTR_LEN(str),dbh->is_persistent); zend_string_release_ex(str, 0); } return true; diff --git a/ext/pdo_firebird/tests/gh17383.phpt b/ext/pdo_firebird/tests/gh17383.phpt new file mode 100644 index 0000000000000..6adad311938c6 --- /dev/null +++ b/ext/pdo_firebird/tests/gh17383.phpt @@ -0,0 +1,38 @@ +--TEST-- +GH-17383 (PDOException has wrong code and message since PHP 8.4) +--EXTENSIONS-- +pdo_firebird +--SKIPIF-- + +--XLEAK-- +A bug in firebird causes a memory leak when calling `isc_attach_database()`. +See https://github.com/FirebirdSQL/firebird/issues/7849 +--FILE-- +getCode() . "\n"; + echo 'PDOException message: ' . $e->getMessage() . "\n"; + echo "\n"; + } +} +?> +--EXPECT-- +PDOException code: 335544721 +PDOException message: SQLSTATE[HY000] [335544721] Unable to complete network request to host "invalid_host". + +PDOException code: 335544472 +PDOException message: SQLSTATE[HY000] [335544472] Your user name and password are not defined. Ask your database administrator to set up a Firebird login. + +PDOException code: 335544472 +PDOException message: SQLSTATE[HY000] [335544472] Your user name and password are not defined. Ask your database administrator to set up a Firebird login. diff --git a/ext/pdo_firebird/tests/gh18276.phpt b/ext/pdo_firebird/tests/gh18276.phpt new file mode 100644 index 0000000000000..610876166ccf7 --- /dev/null +++ b/ext/pdo_firebird/tests/gh18276.phpt @@ -0,0 +1,35 @@ +--TEST-- +GH-18276 (persistent connection - setAttribute(Pdo\Firebird::ATTR_DATE_FORMAT, ..) results in "zend_mm_heap corrupted") +--EXTENSIONS-- +pdo_firebird +--SKIPIF-- + +--XLEAK-- +A bug in firebird causes a memory leak when calling `isc_attach_database()`. +See https://github.com/FirebirdSQL/firebird/issues/7849 +--FILE-- + true, + ], + ); + // Avoid interned + $dbh->setAttribute(PDO::FB_ATTR_DATE_FORMAT, str_repeat('Y----m----d', random_int(1, 1))); + $dbh->setAttribute(PDO::FB_ATTR_TIME_FORMAT, str_repeat('H::::i::::s', random_int(1, 1))); + $dbh->setAttribute(PDO::FB_ATTR_TIMESTAMP_FORMAT, str_repeat('Y----m----d....H::::i::::s', random_int(1, 1))); + unset($dbh); +} + +echo 'done!'; +?> +--EXPECT-- +done! diff --git a/ext/pdo_sqlite/pdo_sqlite.c b/ext/pdo_sqlite/pdo_sqlite.c index bc47c15a1eb5e..ff56d04049424 100644 --- a/ext/pdo_sqlite/pdo_sqlite.c +++ b/ext/pdo_sqlite/pdo_sqlite.c @@ -352,6 +352,7 @@ static int php_sqlite_collation_callback(void *context, int string1_len, const v zend_type_error("%s(): Return value of the callback must be of type int, %s returned", ZSTR_VAL(func_name), zend_zval_value_name(&retval)); zend_string_release(func_name); + zval_ptr_dtor(&retval); return FAILURE; } if (Z_LVAL(retval) > 0) { @@ -359,7 +360,6 @@ static int php_sqlite_collation_callback(void *context, int string1_len, const v } else if (Z_LVAL(retval) < 0) { ret = -1; } - zval_ptr_dtor(&retval); } zval_ptr_dtor(&zargs[0]); diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 4b03bfc3c9df4..75b987d6b917e 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -3451,11 +3451,13 @@ PHP_FUNCTION(pg_copy_from) if (UNEXPECTED(!tmp)) { return; } - zend_string *zquery = zend_string_alloc(ZSTR_LEN(tmp) + 1, false); + // we give allocation room for a potential command line `\n` terminator addition + zend_string *zquery = zend_string_alloc(ZSTR_LEN(tmp) + 2, false); memcpy(ZSTR_VAL(zquery), ZSTR_VAL(tmp), ZSTR_LEN(tmp) + 1); ZSTR_LEN(zquery) = ZSTR_LEN(tmp); - if (ZSTR_LEN(tmp) > 0 && ZSTR_VAL(zquery)[ZSTR_LEN(tmp)] != '\n') { + if (ZSTR_LEN(tmp) > 0 && ZSTR_VAL(zquery)[ZSTR_LEN(tmp) - 1] != '\n') { ZSTR_VAL(zquery)[ZSTR_LEN(tmp)] = '\n'; + ZSTR_VAL(zquery)[ZSTR_LEN(tmp) + 1] = '\0'; ZSTR_LEN(zquery) ++; } if (PQputCopyData(pgsql, ZSTR_VAL(zquery), ZSTR_LEN(zquery)) != 1) { @@ -6213,7 +6215,7 @@ PHP_FUNCTION(pg_put_copy_end) { zval *pgsql_link; pgsql_link_handle *link; - zend_string *error; + zend_string *error = NULL; char *err = NULL; ZEND_PARSE_PARAMETERS_START(1, 2) diff --git a/ext/pgsql/tests/gh18148.phpt b/ext/pgsql/tests/gh18148.phpt new file mode 100644 index 0000000000000..6cc2a2542086f --- /dev/null +++ b/ext/pgsql/tests/gh18148.phpt @@ -0,0 +1,24 @@ +--TEST-- +Fix GH-18148 pg_copy_from() command position offset when giving explicit \n terminator +--EXTENSIONS-- +pgsql +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(true) diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index d119063502c0c..28923c4cb3925 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -639,7 +639,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f SXE_ITER type; zval member; - cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + if (cache_slot) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + } sxe = php_sxe_fetch_object(object); GET_NODE(sxe, node); diff --git a/ext/simplexml/tests/gh18304.phpt b/ext/simplexml/tests/gh18304.phpt new file mode 100644 index 0000000000000..c6b0f76bd04e2 --- /dev/null +++ b/ext/simplexml/tests/gh18304.phpt @@ -0,0 +1,18 @@ +--TEST-- +GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault) +--CREDITS-- +orose-assetgo +--EXTENSIONS-- +simplexml +--FILE-- +'); +$field = 'abc'; +$sxe->$field .= 'hello'; +var_dump($sxe->$field); +?> +--EXPECTF-- +object(SimpleXMLElement)#%d (1) { + [0]=> + string(5) "hello" +} diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c index 354ac2e5178d0..0654a97dfc861 100644 --- a/ext/snmp/snmp.c +++ b/ext/snmp/snmp.c @@ -1861,7 +1861,9 @@ static zval *php_snmp_get_property_ptr_ptr(zend_object *object, zend_string *nam return zend_std_get_property_ptr_ptr(object, name, type, cache_slot); } - cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + if (cache_slot) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + } return NULL; } diff --git a/ext/snmp/tests/gh18304.phpt b/ext/snmp/tests/gh18304.phpt new file mode 100644 index 0000000000000..2faf503ac1a58 --- /dev/null +++ b/ext/snmp/tests/gh18304.phpt @@ -0,0 +1,15 @@ +--TEST-- +GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault) +--CREDITS-- +orose-assetgo +--EXTENSIONS-- +snmp +--FILE-- +$field++; +var_dump($snmp->$field); +?> +--EXPECT-- +int(1) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 49ed056771114..3d9d2a9535cbd 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -863,7 +863,9 @@ static zval *spl_array_get_property_ptr_ptr(zend_object *object, zend_string *na if ((intern->ar_flags & SPL_ARRAY_ARRAY_AS_PROPS) != 0 && !zend_std_has_property(object, name, ZEND_PROPERTY_EXISTS, NULL)) { - cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + if (cache_slot) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + } /* If object has offsetGet() overridden, then fallback to read_property, * which will call offsetGet(). */ diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index 5222fe2a7fa4d..ca7788fd749e4 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -336,12 +336,10 @@ static inline HashTable* spl_object_storage_debug_info(zend_object *obj) /* {{{ ZEND_HASH_FOREACH_PTR(&intern->storage, element) { array_init(&tmp); - /* Incrementing the refcount of obj and inf would confuse the garbage collector. - * Prefer to null the destructor */ - Z_ARRVAL_P(&tmp)->pDestructor = NULL; zval obj; - ZVAL_OBJ(&obj, element->obj); + ZVAL_OBJ_COPY(&obj, element->obj); add_assoc_zval_ex(&tmp, "obj", sizeof("obj") - 1, &obj); + Z_TRY_ADDREF(element->inf); add_assoc_zval_ex(&tmp, "inf", sizeof("inf") - 1, &element->inf); zend_hash_next_index_insert(Z_ARRVAL(storage), &tmp); } ZEND_HASH_FOREACH_END(); diff --git a/ext/spl/tests/gh18304.phpt b/ext/spl/tests/gh18304.phpt new file mode 100644 index 0000000000000..d93ee3534d0d4 --- /dev/null +++ b/ext/spl/tests/gh18304.phpt @@ -0,0 +1,14 @@ +--TEST-- +GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault) +--CREDITS-- +orose-assetgo +--FILE-- + 1]); +$ao->setFlags(ArrayObject::ARRAY_AS_PROPS); +$field = 'abc'; +$ao->$field++; +var_dump($ao->$field); +?> +--EXPECT-- +int(2) diff --git a/ext/spl/tests/gh18322.phpt b/ext/spl/tests/gh18322.phpt new file mode 100644 index 0000000000000..e70cbd0d37dd5 --- /dev/null +++ b/ext/spl/tests/gh18322.phpt @@ -0,0 +1,27 @@ +--TEST-- +GH-18322 (SplObjectStorage debug handler mismanages memory) +--FILE-- +__debugInfo(); +$tmp2 = $tmp[array_key_first($tmp)]; +unset($tmp); // Drop $tmp2 RC to 1 +$tmp2[0]['obj'] = new stdClass; +var_dump($tmp2); + +?> +--EXPECT-- +array(1) { + [0]=> + array(2) { + ["obj"]=> + object(stdClass)#3 (0) { + } + ["inf"]=> + int(1) + } +} diff --git a/ext/standard/array.c b/ext/standard/array.c index 0c2de2a98a1d9..6c753c27e8a6e 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -1972,8 +1972,10 @@ static zend_long php_extract_ref_overwrite(zend_array *arr, zend_array *symbol_t } else { ZVAL_MAKE_REF_EX(entry, 2); } - zval_ptr_dtor(orig_var); + zval garbage; + ZVAL_COPY_VALUE(&garbage, orig_var); ZVAL_REF(orig_var, Z_REF_P(entry)); + zval_ptr_dtor(&garbage); } else { if (Z_ISREF_P(entry)) { Z_ADDREF_P(entry); diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index dbbf9896f2b73..415c45a2d14e3 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -215,31 +215,16 @@ static void php_putenv_destructor(zval *zv) /* {{{ */ static void basic_globals_ctor(php_basic_globals *basic_globals_p) /* {{{ */ { - BG(umask) = -1; - BG(user_tick_functions) = NULL; - BG(user_filter_map) = NULL; - BG(serialize_lock) = 0; - - memset(&BG(serialize), 0, sizeof(BG(serialize))); - memset(&BG(unserialize), 0, sizeof(BG(unserialize))); - - memset(&BG(url_adapt_session_ex), 0, sizeof(BG(url_adapt_session_ex))); - memset(&BG(url_adapt_output_ex), 0, sizeof(BG(url_adapt_output_ex))); + memset(basic_globals_p, 0, sizeof(php_basic_globals)); - BG(url_adapt_session_ex).type = 1; - BG(url_adapt_output_ex).type = 0; + basic_globals_p->umask = -1; + basic_globals_p->url_adapt_session_ex.type = 1; - zend_hash_init(&BG(url_adapt_session_hosts_ht), 0, NULL, NULL, 1); - zend_hash_init(&BG(url_adapt_output_hosts_ht), 0, NULL, NULL, 1); - -#if defined(_REENTRANT) - memset(&BG(mblen_state), 0, sizeof(BG(mblen_state))); -#endif - - BG(page_uid) = -1; - BG(page_gid) = -1; + zend_hash_init(&basic_globals_p->url_adapt_session_hosts_ht, 0, NULL, NULL, 1); + zend_hash_init(&basic_globals_p->url_adapt_output_hosts_ht, 0, NULL, NULL, 1); - BG(syslog_device) = NULL; + basic_globals_p->page_uid = -1; + basic_globals_p->page_gid = -1; } /* }}} */ diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index e4dd38637570a..44dd33bab10ac 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -204,6 +204,7 @@ PHP_FUNCTION(iptcembed) if (spool < 2) { if (zend_fstat(fileno(fp), &sb) != 0) { + fclose(fp); RETURN_FALSE; } diff --git a/ext/standard/tests/file/gh18212.phpt b/ext/standard/tests/file/gh18212.phpt new file mode 100644 index 0000000000000..6e4d8ad9bd328 --- /dev/null +++ b/ext/standard/tests/file/gh18212.phpt @@ -0,0 +1,13 @@ +--TEST-- +GH-18212: fseek with SEEK_CUR and negative offset leads to negative file stream position. +--FILE-- + +--EXPECT-- +int(-1) +int(-1) + diff --git a/ext/standard/tests/file/stream_rfc2397_007.phpt b/ext/standard/tests/file/stream_rfc2397_007.phpt index dcbe5beeb3dc9..49a037e855fbd 100644 --- a/ext/standard/tests/file/stream_rfc2397_007.phpt +++ b/ext/standard/tests/file/stream_rfc2397_007.phpt @@ -118,7 +118,7 @@ int(2) bool(false) ===S:-10,C=== int(-1) -bool(false) +int(2) bool(false) ===S:3,S=== int(0) diff --git a/ext/standard/tests/gh18209.phpt b/ext/standard/tests/gh18209.phpt new file mode 100644 index 0000000000000..6a759639f7dcb --- /dev/null +++ b/ext/standard/tests/gh18209.phpt @@ -0,0 +1,23 @@ +--TEST-- +GH-18209: Use-after-free in extract() with EXTR_REFS +--CREDITS-- +Noam Rathaus (nrathaus) +--FILE-- + 42]; +extract($array, EXTR_REFS); +var_dump($b); + +?> +--EXPECT-- +int(42) +int(43) diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c index d0a3673c89423..0432e7c757e80 100644 --- a/ext/xmlreader/php_xmlreader.c +++ b/ext/xmlreader/php_xmlreader.c @@ -117,7 +117,7 @@ zval *xmlreader_get_property_ptr_ptr(zend_object *object, zend_string *name, int xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name); if (hnd == NULL) { retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); - } else { + } else if (cache_slot) { cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; } diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 3b2fe0bc366c2..45b9e2f9c74ec 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -353,13 +353,13 @@ typedef struct { #endif } zip_options; +/* Expects opts to be zero-initialized. */ static int php_zip_parse_options(HashTable *options, zip_options *opts) /* {{{ */ { zval *option; /* default values */ - memset(opts, 0, sizeof(zip_options)); opts->flags = ZIP_FL_OVERWRITE; opts->comp_method = -1; /* -1 to not change default */ #ifdef HAVE_ENCRYPTION @@ -889,8 +889,6 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name zval *retval = NULL; zip_prop_handler *hnd = NULL; - cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; - obj = php_zip_fetch_object(object); if (obj->prop_handler != NULL) { @@ -899,6 +897,8 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name if (hnd == NULL) { retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); + } else if (cache_slot) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; } return retval; @@ -1738,7 +1738,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /* size_t path_len = 1; zend_long glob_flags = 0; HashTable *options = NULL; - zip_options opts; + zip_options opts = {0}; int found; zend_string *pattern; @@ -1802,6 +1802,9 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /* if (opts.add_path) { if ((opts.add_path_len + file_stripped_len) > MAXPATHLEN) { + if (basename) { + zend_string_release_ex(basename, 0); + } php_error_docref(NULL, E_WARNING, "Entry name too long (max: %d, %zd given)", MAXPATHLEN - 1, (opts.add_path_len + file_stripped_len)); zend_array_destroy(Z_ARR_P(return_value)); diff --git a/ext/zip/tests/addGlob_empty_options.phpt b/ext/zip/tests/addGlob_empty_options.phpt new file mode 100644 index 0000000000000..f4a4126059a7b --- /dev/null +++ b/ext/zip/tests/addGlob_empty_options.phpt @@ -0,0 +1,22 @@ +--TEST-- +addGlob with empty options +--EXTENSIONS-- +zip +--FILE-- +open($file, ZipArchive::CREATE | ZipArchive::OVERWRITE); +$zip->addGlob(__FILE__, 0, []); +var_dump($zip->statIndex(0)['name'] === __FILE__); +$zip->close(); + +?> +--CLEAN-- + +--EXPECT-- +bool(true) diff --git a/ext/zip/tests/addGlob_too_long_add_path_option.phpt b/ext/zip/tests/addGlob_too_long_add_path_option.phpt new file mode 100644 index 0000000000000..9598eeca40a89 --- /dev/null +++ b/ext/zip/tests/addGlob_too_long_add_path_option.phpt @@ -0,0 +1,21 @@ +--TEST-- +addGlob with too long add_path option +--EXTENSIONS-- +zip +--FILE-- +open($file, ZipArchive::CREATE | ZipArchive::OVERWRITE); +$zip->addGlob(__FILE__, 0, ['add_path' => str_repeat('A', PHP_MAXPATHLEN - 2)]); +$zip->close(); + +?> +--CLEAN-- + +--EXPECTF-- +Warning: ZipArchive::addGlob(): Entry name too long (max: %d, %d given) in %s on line %d diff --git a/main/debug_gdb_scripts.c b/main/debug_gdb_scripts.c index de7d0c5c92df8..384a1c8b46ee8 100644 --- a/main/debug_gdb_scripts.c +++ b/main/debug_gdb_scripts.c @@ -698,6 +698,7 @@ asm( ".ascii \"\\\"\\\"\\\"\\n\"\n" ".ascii \"\\n\"\n" ".ascii \"import gdb\\n\"\n" + ".ascii \"import gdb.printing\\n\"\n" ".ascii \"import re\\n\"\n" ".ascii \"\\n\"\n" ".ascii \"pp_set = gdb.printing.RegexpCollectionPrettyPrinter(\\\"php\\\")\\n\"\n" diff --git a/main/php_scandir.c b/main/php_scandir.c index 7d1eb36023665..7bf91bdf7f33d 100644 --- a/main/php_scandir.c +++ b/main/php_scandir.c @@ -83,7 +83,7 @@ PHPAPI int php_scandir(const char *dirname, struct dirent **namelist[], int (*se newv = (struct dirent **) realloc (vector, vector_size * sizeof (struct dirent *)); if (!newv) { - return -1; + goto fail; } vector = newv; } @@ -113,6 +113,7 @@ PHPAPI int php_scandir(const char *dirname, struct dirent **namelist[], int (*se free(vector[nfiles]); } free(vector); + closedir(dirp); return -1; } #endif diff --git a/main/php_version.h b/main/php_version.h index e46868a3abd88..aa5164884fc24 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,7 +2,7 @@ /* edit configure.ac to change version number */ #define PHP_MAJOR_VERSION 8 #define PHP_MINOR_VERSION 4 -#define PHP_RELEASE_VERSION 6 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "8.4.6-dev" -#define PHP_VERSION_ID 80406 +#define PHP_RELEASE_VERSION 7 +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "8.4.7" +#define PHP_VERSION_ID 80407 diff --git a/main/streams/streams.c b/main/streams/streams.c index e83acd5f7e161..661a0da9c883c 100644 --- a/main/streams/streams.c +++ b/main/streams/streams.c @@ -1390,6 +1390,10 @@ PHPAPI int _php_stream_seek(php_stream *stream, zend_off_t offset, int whence) } whence = SEEK_SET; break; + case SEEK_SET: + if (offset < 0) { + return -1; + } } ret = stream->ops->seek(stream, offset, whence, &stream->position); diff --git a/scripts/gdb/php_gdb.py b/scripts/gdb/php_gdb.py index 7fef2ad1f49c8..3e40ef8a3b411 100644 --- a/scripts/gdb/php_gdb.py +++ b/scripts/gdb/php_gdb.py @@ -28,6 +28,7 @@ """ import gdb +import gdb.printing import re pp_set = gdb.printing.RegexpCollectionPrettyPrinter("php") diff --git a/win32/build/config.w32 b/win32/build/config.w32 index 043f18b275b9d..7180e841ebc48 100644 --- a/win32/build/config.w32 +++ b/win32/build/config.w32 @@ -267,7 +267,11 @@ if (TARGET_ARCH == 'arm64') { DEFINE('FIBER_ASM_FLAGS', '/DBOOST_CONTEXT_EXPORT=EXPORT /nologo /c /Fo'); } -ADD_FLAG('ASM_OBJS', '$(BUILD_DIR)\\Zend\\jump_' + FIBER_ASM_ABI + '.obj $(BUILD_DIR)\\Zend\\make_' + FIBER_ASM_ABI + '.obj'); +var all_asm_objs = '$(BUILD_DIR)\\Zend\\jump_' + FIBER_ASM_ABI + '.obj $(BUILD_DIR)\\Zend\\make_' + FIBER_ASM_ABI + '.obj'; +if (TARGET_ARCH == 'x64') { + all_asm_objs += ' $(BUILD_DIR)\\Zend\\save_xmm_x86_64_ms_masm.obj'; +} +ADD_FLAG('ASM_OBJS', all_asm_objs); MFO.WriteLine('$(BUILD_DIR)\\Zend\\jump_' + FIBER_ASM_ABI + '.obj: Zend\\asm\\jump_' + FIBER_ASM_ABI + '.asm'); MFO.WriteLine('\t$(PHP_ASSEMBLER) $(FIBER_ASM_FLAGS) $(BUILD_DIR)\\Zend\\jump_$(FIBER_ASM_ABI).obj Zend\\asm\\jump_$(FIBER_ASM_ABI).asm'); @@ -275,6 +279,11 @@ MFO.WriteLine('\t$(PHP_ASSEMBLER) $(FIBER_ASM_FLAGS) $(BUILD_DIR)\\Zend\\jump_$( MFO.WriteLine('$(BUILD_DIR)\\Zend\\make_' + FIBER_ASM_ABI + '.obj: Zend\\asm\\make_' + FIBER_ASM_ABI + '.asm'); MFO.WriteLine('\t$(PHP_ASSEMBLER) $(FIBER_ASM_FLAGS) $(BUILD_DIR)\\Zend\\make_$(FIBER_ASM_ABI).obj Zend\\asm\\make_$(FIBER_ASM_ABI).asm'); +if (TARGET_ARCH == 'x64') { + MFO.WriteLine('$(BUILD_DIR)\\Zend\\save_xmm_x86_64_ms_masm.obj: Zend\\asm\\save_xmm_x86_64_ms_masm.asm'); + MFO.WriteLine('\t$(PHP_ASSEMBLER) $(FIBER_ASM_FLAGS) $(BUILD_DIR)\\Zend\\save_xmm_x86_64_ms_masm.obj Zend\\asm\\save_xmm_x86_64_ms_masm.asm'); +} + ADD_FLAG("CFLAGS_BD_ZEND", "/D ZEND_ENABLE_STATIC_TSRMLS_CACHE=1"); if (VS_TOOLSET && VCVERS >= 1914) { ADD_FLAG("CFLAGS_BD_ZEND", "/d2FuncCache1");